TaskFreak 0.6.2 SQL Injection Vulnerability

30 November -0001

CVE-2010-1583

Description of Vulnerability:

The Tirzen Framework (http://www.tirzen.net/tzn/) is a supporting API developed by Tirzen (http://www.tirzen.com), an intranet and internet solutions provider. The Tirzen Framework contains a SQL injection vulnerability (http://www.owasp.org/index.php/SQL_Injection). This vulnerability could allow an attacker to arbitrarily manipulate SQL strings constructed using the library. This vulnerability manifests itself most notably in the Task Freak (http://www.taskfreak.com/) open source task management software. The vulnerability can be exploited to bypass authentication and gain administrative access to the Task Freak system.

Systems affected:

Task Freak Multi User / mySQL v0.6.2 with Tirzen Framework 1.5 was tested and shown to be vulnerable.

Impact

Attackers could manipulate database query strings resulting in information disclosure, data destruction, credential disclosure, cross site scripting, XSRF and authentication bypass.

Technical discussion and proof of concept:

Tirzen Framework class TznDbConnection in the function loadByKey() (tzn_mysql.php line 605) manifests a SQL injection vulnerability because it fails to sanitize user supplied input used to compose SQL statements.

Proof of concept: any user can log into TaskFreak as the administrator simply by using the username "1' or 1='1"

Vendor response:

Upgrade to the latest version of TaskFreak.