Full Disclosure mailing list archives
eResourcePlanner Authentication Bypass/SQL Injection
From: xnite () xnite org
Date: Fri, 5 Jul 2013 06:26:50 +0000
I have been trying to contact the ERP company for the past year with a bug which could affect dozens of companies including cell phone providers, call centers, and more. eResourcePlanner provides resource planning software to companies, which are hosted on their own subdomain "rp4me.com". The SQL injection was stumbled upon during a legitimate login attempt in which I received an SQL error by accidentally typing an ' into my password. With minimal research it was not difficult to find that the username table on the MySQL database was "userid". Any client could simply put the following string (replacing username with their actual username or a portion of a username) into the username portion of the login field, and be logged in from that point as any user they would like. The string is on it's own line as follows: a' OR userid like '%username%' OR 'a Given that the username, or first match of the string given in the like statement matches an active account, you will be logged in now as that user. Other more minor security issues that I would like to point out are seen within an actual SQL error which looks like the following: [MySQL][ODBC 5.1 Driver][mysqld-5.5.9-log]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' AND lcase(Password) = ''' at line 1 Things that need to pointed out here are listed below: * A production machine should never be displaying the contents of an SQL error, this is a primary way an attacker may discover a vulnerability. * lcase(Password) shows us that no matter what password is given, it is converted to lower-case lettering anyway, disallowing what might be considered a "strong password". This makes brute-forcing passwords much easier. * The error string displays the version of the MySQL Server Daemon, which could be used to find other potential vulnerabilities to compromise the daemon. * MySQL Server Daemon is out of date, 5.5.9 was released February of 2011. FOR THE RECORD: I have not used this vulnerability with any malicious intent, and everything I touched was perfectly legal/ethical. I used this to login to only my account, and those of which I had permission to do so. I have tried to go the safe route for over a year and disclose this privately with the company providing the software (eresourceplanner.com) with no response back, and I have decided at this point that it's better to make it public and hope that it will be fixed, than to keep it private while those with malicious intent may already be a ghost in the system. --- R. Whitney - Independent IT ConsultantPhone: (347)674-4835 Postal: PO Box 5984, Bloomington, IL 61702-5984 Other: My Blog (http://xnite.org) / LinkedIn (http://www.linkedin.com/in/whitneyr) / Twitter (http://twitter.com/xnite)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- eResourcePlanner Authentication Bypass/SQL Injection xnite (Jul 05)
- Re: eResourcePlanner Authentication Bypass/SQL Injection adam (Jul 05)
- <Possible follow-ups>
- Re: eResourcePlanner Authentication Bypass/SQL Injection xnite (Jul 05)
- Re: eResourcePlanner Authentication Bypass/SQL Injection adam (Jul 05)