'[SVadvisory] - SQL injection in OpenBook 1.2.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [SVadvisory] - SQL injection in OpenBook 1.2.2
From:       svt () svt ! nukleon ! us
Date:       2005-07-30 21:09:51
Message-ID: 20050730210951.12767.qmail () securityfocus ! com
[Download RAW message or body]

SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Title: SQl injection                    
Product: OpenBook                        
Version: 1.2.2                           
   Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
   function auth_user($userid, $password)
{
	global $HTTP_POST_VARS;
	global $admin_table;

	$userid=$HTTP_POST_VARS['userid'];
	$password=$HTTP_POST_VARS['password'];

	db_connect();

	$query="SELECT userid "
					."FROM $admin_table "
					."WHERE userid='$userid' AND password=password('$password')";
	$result=mysql_query($query);

	if(!mysql_num_rows($result))
	// no matches
	{
		return 0;
	}
	else
	// match found so return userid
	{
		$query_data=mysql_fetch_array($result);
		return $query_data['userid'];
	}
}// end auth_user()

Variable $userid, $password in admin.php are not checked before premises in SQL \
request, because of this possible produce SQL-injection, after which, any user can \
gain access to admin panels

Here is idle time example substitutions:
-------------------------------
 User ID: admin
Password: no') or 1/*
-------------------------------

Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic