Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   OpenBook Vendors:
OpenBook Input Validation Holes in auth_user() Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1014606
SecurityTracker URL:
CVE Reference:   CVE-2005-2466   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 1 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2.2
Description:   A vulnerability was reported in OpenBook. A remote user can inject SQL commands.

The auth_user() function does not properly validate user-supplied input. A remote user can supply specially crafted 'userid' and 'password' parameter values to the 'admin.php' script to execute SQL commands on the underlying database.

Some demonstration exploit values are provided:

User ID: admin
Password: no') or 1/*

Search Vulnerabilities Team discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [SVadvisory] - SQL injection in OpenBook 1.2.2

  Title: SQl injection                    
Product: OpenBook                        
Version: 1.2.2                           
   function auth_user($userid, $password)
	global $HTTP_POST_VARS;
	global $admin_table;



	$query="SELECT userid "
					."FROM $admin_table "
					."WHERE userid='$userid' AND password=password('$password')";

	// no matches
		return 0;
	// match found so return userid
		return $query_data['userid'];
}// end auth_user()

Variable $userid, $password in admin.php are not checked before premises in SQL request, because of this possible produce SQL-injection,
 after which, any user can gain access to admin panels

Here is idle time example substitutions:
 User ID: admin
Password: no') or 1/*

Bug Found
Search Vulnerabilities Team -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC