3/27/2023 0 Comments Zoiper connection error 102![]() ![]() ![]() At this point the transaction ID was fully controlled by the user. The transaction ID was being generated on the server side, but after that it was outputted to the user to be supplied in the consequent payment request to the bank. Using a simple OWASP ZAP proxy we were able to identify where exactly the injection happens. When we got the same error in 2019, we decided to collect more information and involve the local GDPR agency - Asmens Duomenu Inspekcija (ADA). That indicated that the fix in 2017 landed in some other file, or nothing was fixed at all. The error mentioned the same code line as in 2017: hbstatus.php line 204 and hbstatus.php on line 274 ![]() The user experience was poor, but in the end the service did it's job: the softphone worked, and you only needed the web once or twice a year to top up. While waiting for the response, we checked the balance - money arrived despite the error. We again saved all the message details and informed Spykas. In 2018 during another top up we got the exact same error. In about 15 minutes money got to the virtual Spykas account. We contacted the support, provided the details: exact error text, bank account number, top up amount, etc. But for others, like professional programmers, there is a smoking gun and "SQL INJECTION" written in all caps. Your money is gone from the bank account, but the service just showed you a meaningless error. VALUES ('xxxxxxxxxxxxxxxxxxxxx')Duplicate entry 'xxxxxxxxxxxxxxxxxxxxx' for keyįor some this error would be just a frustrating user experience. INSERT INTO invoice_number (fk_transaction_id) VK_STAMP in /var/www/spykas_pay/psystems/hanza/hbstatus.php on line 204 Initial report in 2017Īs a regular Spykas users we got an error message during the top up in 2017: Authentication uses standard SIP-MD5 digest authentication. After registering the user can top up the account using a local bank and download a softphone - branded version of Zoiper that contains a unique user SIP password. Spykas has a self service web frontend at, where any user can register (no email verification needed). Spykas is a VoIP brand and B2C service providing Zoiper based softphone. In 2020 it had 2-3 million eur turnover and average salary 2143 eur. NTT - Nacionalinis telekomunikacijų tinklas (National telecommunication network), even though it has "National" word, is a private company in Lithuania that provides internet, IPTV and VoIP services. 10 years old SQL injection in Spykas VoIP provider could allow an authenticated remote attacker to deploy a web shell, leak personal data and use SIP credentials for free calls. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |