lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Feb 2012 17:12:09 GMT
From: rezahmail@...il.com
To: bugtraq@...urityfocus.com
Subject: sqlinjection bug in nova cms

# Exploit Title: XRayCMS 1.1.1 SQL Injection Vulnerability
# Date: 2/12/2012
# Author: Dr.web
# Software Link: http://sourceforge.net/projects/xraycms/files/latest/download
# Version: 1.1.1
# Tested on: Ubuntu
XRay CMS is vulnerable to a SQL Injection attack which allows
authentication bypass into the admins account. If a malicious
user supplies ' or 1=1# into the applications user name field
they will be logged into the applications admin account.
Jan 29, 2012 – Contacted Vendor No Response
Feb 05, 2012 – Public Disclosure
Since the vendor did not reply we attempted to create our own
fixes for this issue. The vulnerability exist in “login2.php”
on lines 20 and 21.
17  if(!isset($_POST['username'])) header("Location: login.php?error_username");
18  if(!isset($_POST['password'])) header("Location: login.php?error_password");
19
20  $user = $_POST['username'];
21  $pass = $_POST['password'];
If the lines 20 and 21 are changed to:
$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
This will prevent the sql injection from happening in the user name field.

Powered by blists - more mailing lists