SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Generic)  >   OpenBook Vendors:   openbook.sourceforge.net
OpenBook Input Validation Holes in auth_user() Let Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1014606
SecurityTracker URL:  http://securitytracker.com/id/1014606
CVE Reference:   CVE-2005-2466   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 1 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2.2
Description:   A vulnerability was reported in OpenBook. A remote user can inject SQL commands.

The auth_user() function does not properly validate user-supplied input. A remote user can supply specially crafted 'userid' and 'password' parameter values to the 'admin.php' script to execute SQL commands on the underlying database.

Some demonstration exploit values are provided:

User ID: admin
Password: no') or 1/*

Search Vulnerabilities Team discovered this vulnerability.

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  openbook.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SVadvisory] - SQL injection in OpenBook 1.2.2

SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Title: SQl injection                    
Product: OpenBook                        
Version: 1.2.2                           
   Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
   function auth_user($userid, $password)
{
	global $HTTP_POST_VARS;
	global $admin_table;

	$userid=$HTTP_POST_VARS['userid'];
	$password=$HTTP_POST_VARS['password'];

	db_connect();

	$query="SELECT userid "
					."FROM $admin_table "
					."WHERE userid='$userid' AND password=password('$password')";
	$result=mysql_query($query);

	if(!mysql_num_rows($result))
	// no matches
	{
		return 0;
	}
	else
	// match found so return userid
	{
		$query_data=mysql_fetch_array($result);
		return $query_data['userid'];
	}
}// end auth_user()

Variable $userid, $password in admin.php are not checked before premises in SQL request, because of this possible produce SQL-injection,
 after which, any user can gain access to admin panels

Here is idle time example substitutions:
-------------------------------
 User ID: admin
Password: no') or 1/*
-------------------------------

Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC