[40031] in bugtraq
[SVadvisory] - SQL injection in OpenBook 1.2.2
daemon@ATHENA.MIT.EDU (svt@svt.nukleon.us)
Mon Aug 1 12:18:44 2005
Date: 30 Jul 2005 21:09:51 -0000
Message-ID: <20050730210951.12767.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: svt@svt.nukleon.us
To: bugtraq@securityfocus.com
SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: SQl injection
Product: OpenBook
Version: 1.2.2
Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
function auth_user($userid, $password)
{
global $HTTP_POST_VARS;
global $admin_table;
$userid=$HTTP_POST_VARS['userid'];
$password=$HTTP_POST_VARS['password'];
db_connect();
$query="SELECT userid "
."FROM $admin_table "
."WHERE userid='$userid' AND password=password('$password')";
$result=mysql_query($query);
if(!mysql_num_rows($result))
// no matches
{
return 0;
}
else
// match found so return userid
{
$query_data=mysql_fetch_array($result);
return $query_data['userid'];
}
}// end auth_user()
Variable $userid, $password in admin.php are not checked before premises in SQL request, because of this possible produce SQL-injection, after which, any user can gain access to admin panels
Here is idle time example substitutions:
-------------------------------
User ID: admin
Password: no') or 1/*
-------------------------------
Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------
