<<< Date Index >>>     <<< Thread Index >>>

[SVadvisory] - SQL injection in OpenBook 1.2.2



SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Title: SQl injection                    
Product: OpenBook                        
Version: 1.2.2                           
   Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
   function auth_user($userid, $password)
{
        global $HTTP_POST_VARS;
        global $admin_table;

        $userid=$HTTP_POST_VARS['userid'];
        $password=$HTTP_POST_VARS['password'];

        db_connect();

        $query="SELECT userid "
                                        ."FROM $admin_table "
                                        ."WHERE userid='$userid' AND 
password=password('$password')";
        $result=mysql_query($query);

        if(!mysql_num_rows($result))
        // no matches
        {
                return 0;
        }
        else
        // match found so return userid
        {
                $query_data=mysql_fetch_array($result);
                return $query_data['userid'];
        }
}// end auth_user()

Variable $userid, $password in admin.php are not checked before premises in SQL 
request, because of this possible produce SQL-injection, after which, any user 
can gain access to admin panels

Here is idle time example substitutions:
-------------------------------
 User ID: admin
Password: no') or 1/*
-------------------------------

Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------