lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 22 Jan 2007 23:36:26 +0100
From: "Rolf Huisman" <r.l.r.huisman@...e.nl>
To: <bugtraq@...urityfocus.com>
Subject: SQL Injection by using Cookie Poisoning for Website Baker Version 2.6.5 and before

Website Baker Version 2.6.5 and before contains a SQL injection.
This can be exploited by using Cookie Poisoning

Manufacturer was notified, but want to ignore the request pending release version 3.0

Poison the cookie for the login page with the REMEMBER_KEY variable with a standard sql injection ('; <Insert Your SQL Statment here> --)

Failing function is in class.login.php 
      // Function to check if a user has been remembered
      function is_remembered() {
            if(isset($_COOKIE['REMEMBER_KEY']) AND $_COOKIE['REMEMBER_KEY'] != '') {
                  // Check if the remember key is correct
                  $database = new database();
                  $check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1");

This function is called by the login screen, hence the vulnerability.
When changing the user table... Free admin login :P

HotFix: 
Change $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1"); 
into 
$database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".addslashes($_COOKIE['REMEMBER_KEY'])."' LIMIT 1");

$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".substr($_COOKIE['REMEMBER_KEY'], 0, 11)."' LIMIT 1"); 
into
$query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".substr(addslashes($_COOKIE['REMEMBER_KEY']), 0, 11)."' LIMIT 1"); 

With Regards

Rolf Huisman


Powered by blists - more mailing lists