Re: sqlinjection bug in nova cms
- From: Henri Salo <henri@xxxxxxx>
- Date: Thu, 16 Feb 2012 17:28:15 +0200
On Sun, Feb 12, 2012 at 05:12:09PM +0000, rezahmail@xxxxxxxxx wrote:
# Exploit Title: XRayCMS 1.1.1 SQL Injection Vulnerability
# Date: 2/12/2012
# Author: Dr.web
# Software Link: http://sourceforge.net/projects/xraycms/files/latest/download
# Version: 1.1.1
# Tested on: Ubuntu
XRay CMS is vulnerable to a SQL Injection attack which allows
authentication bypass into the admins account. If a malicious
user supplies ' or 1=1# into the applications user name field
they will be logged into the applications admin account.
Jan 29, 2012 ? Contacted Vendor No Response
Feb 05, 2012 ? Public Disclosure
Since the vendor did not reply we attempted to create our own
fixes for this issue. The vulnerability exist in ?login2.php?
on lines 20 and 21.
17 if(!isset($_POST['username'])) header("Location: login.php?error_username");
18 if(!isset($_POST['password'])) header("Location: login.php?error_password");
19
20 $user = $_POST['username'];
21 $pass = $_POST['password'];
If the lines 20 and 21 are changed to:
$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
This will prevent the sql injection from happening in the user name field.
As I did not receive any emails back from rezahmail@ on how author informed vendor I reported this as https://sourceforge.net/tracker/?func=detail&aid=3488241&group_id=298778&atid=1260461
- Henri Salo
- References:
- sqlinjection bug in nova cms
- From: rezahmail
- sqlinjection bug in nova cms
- Prev by Date: [PRE-SA-2012-01] Denial-of-service vulnerability in java.util.zip
- Next by Date: Hackito Ergo sum // HES2012 Final CFP // Call for Hackers
- Previous by thread: sqlinjection bug in nova cms
- Next by thread: [ MDVSA-2012:017 ] firefox
- Index(es):
Relevant Pages
|
