| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Feb 2012 17:28:15 +0200
From: Henri Salo <henri@...v.fi>
To: bugtraq@...urityfocus.com
Cc: rezahmail@...il.com
Subject: Re: sqlinjection bug in nova cms
On Sun, Feb 12, 2012 at 05:12:09PM +0000, rezahmail@...il.com wrote:
> # Exploit Title: XRayCMS 1.1.1 SQL Injection Vulnerability
> # Date: 2/12/2012
> # Author: Dr.web
> # Software Link: http://sourceforge.net/projects/xraycms/files/latest/download
> # Version: 1.1.1
> # Tested on: Ubuntu
> XRay CMS is vulnerable to a SQL Injection attack which allows
> authentication bypass into the admins account. If a malicious
> user supplies ' or 1=1# into the applications user name field
> they will be logged into the applications admin account.
> Jan 29, 2012 ? Contacted Vendor No Response
> Feb 05, 2012 ? Public Disclosure
> Since the vendor did not reply we attempted to create our own
> fixes for this issue. The vulnerability exist in ?login2.php?
> on lines 20 and 21.
> 17 if(!isset($_POST['username'])) header("Location: login.php?error_username");
> 18 if(!isset($_POST['password'])) header("Location: login.php?error_password");
> 19
> 20 $user = $_POST['username'];
> 21 $pass = $_POST['password'];
> If the lines 20 and 21 are changed to:
> $user = mysql_real_escape_string($_POST['username']);
> $pass = mysql_real_escape_string($_POST['password']);
> This will prevent the sql injection from happening in the user name field.
As I did not receive any emails back from rezahmail@ on how author informed vendor I reported this as https://sourceforge.net/tracker/?func=detail&aid=3488241&group_id=298778&atid=1260461
- Henri Salo
Powered by blists - more mailing lists