[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000f01c45fcd$b8d137f0$6400000a@UTServer>
From: Bug at thelostsite.co.uk (Manip)
Subject: Centre 1.0 PHP injection, bypass authentication + possible SQL injection.
Summary: The Miller Group, Inc. [www.miller-group.net] announces the release
of Centre, a free student information system for public and non-public
schools. Centre is a web-based, open source, student management product with
features that include scheduling, grade book, attendance, eligibility,
transcripts, and more. And, of course, student and employee information
screens are critical components of Centre.
Version: 1.0
Exploit: Centre does not check that a user is logged in and has sufficient
permissions to perform admin tasks. An example of this can be seen when
attempting to create a new account:
http://demo.miller-group.net/index.php?modfunc=create_account&staff&username=admin&staff_id=new
However this problem exists at almost every level within the software. There
are also poor checks carried out when passing user data which could lead to
SQL injection problems. There is a more serious problem within modules.php,
there is *no checking on the path of the module and could lead to PHP
injection.
Modules.php?modname=../../../MyCode/Stuff.php
Fix: Disable centre until an update is released (the problems are too
extensive).
Powered by blists - more mailing lists