[24357] in bugtraq
AdMentor Login Flaw
daemon@ATHENA.MIT.EDU (Frank)
Thu Feb 21 11:54:11 2002
Date: 21 Feb 2002 10:25:54 -0000
Message-ID: <20020221102554.31849.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Frank <thran60@hotmail.com>
To: bugtraq@securityfocus.com
Regarding : AdMentor v2.11 and earlier
Homepage: http://www.aspcode.net
AdMentor allows any user to login as admin.
The base path of the login is usually :
http://www.someserver.com/admentor/admin/admin.a
sp
By using Login : ' or ''=' , and Password : ' or ''='
We create a legal query because it will get appended
as :SELECT row FROM table WHERE login = '' or
''=''
Same goes for the password. This allows us to login
without any trouble as the main admin. Vendor has
been warned of the bug, but has not released a patch
yet. Temporary solution, filter out the bad chars ' " ~ \
/ by using the following piece of javascript :
function RemoveBad(strTemp) {
strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|
\-/g,"");
return strTemp; }
And calling it from within the asp script :
var login = var TempStr = RemoveBad
(Request.QueryString("login"));
var password = var TempStr = RemoveBad
(Request.QueryString("password"));
Iam not sure about the correct vars set in the form,
you might want to tweak it just a bit. Havent drunk my
coffee yet :)
Credits:
Bug found by thran, thran60@hotmail.com
