SecurityTracker.com Archives - OpenBook Input Validation Holes in auth_user() Let Remote Users Inject SQL Commands

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > OpenBook

Vendors: openbook.sourceforge.net

OpenBook Input Validation Holes in auth_user() Let Remote Users Inject SQL Commands

SecurityTracker Alert ID: 1014606

SecurityTracker URL: http://securitytracker.com/id?1014606

CVE Reference: CVE-2005-2466 (Links to External Site)

Updated: Jun 8 2008

Original Entry Date: Aug 1 2005

Impact: Disclosure of system information, Disclosure of user information, User access via network

Exploit Included: Yes

Version(s): 1.2.2

Description: A vulnerability was reported in OpenBook. A remote user can inject SQL commands.

The auth_user() function does not properly validate user-supplied input. A remote user can supply specially crafted 'userid' and 'password' parameter values to the 'admin.php' script to execute SQL commands on the underlying database.

Some demonstration exploit values are provided:

User ID: admin
Password: no') or 1/*

Search Vulnerabilities Team discovered this vulnerability.

Impact: A remote user can execute SQL commands on the underlying database.

Solution: No solution was available at the time of this entry.

Vendor URL: openbook.sourceforge.net/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: svt@svt.nukleon.us

Message History: None.

Source Message Contents

Date: 30 Jul 2005 21:09:51 -0000
From: svt@svt.nukleon.us
Subject: [SVadvisory] - SQL injection in OpenBook 1.2.2

 
SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Title: SQl injection                    
Product: OpenBook                        
Version: 1.2.2                           
   Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
   function auth_user($userid, $password)
 
	global $HTTP_POST_VARS;
	global $admin_table;

	$userid=$HTTP_POST_VARS['userid'];
	$password=$HTTP_POST_VARS['password'];

	db_connect();

	$query="SELECT userid "
					."FROM $admin_table "
					."WHERE userid='$userid' AND password=password('$password')";
	$result=mysql_query($query);

	if(!mysql_num_rows($result))
	// no matches
	{
		return 0;
	}
	else
	// match found so return userid
	{
		$query_data=mysql_fetch_array($result);
		return $query_data['userid'];
	}
}// end auth_user()

Variable $userid, $password in admin.php are not checked before premises in SQL request, because of t
his possible produce SQL-injection,
 after which, any user can gain access to admin panels

Here is idle time example substitutions:
-------------------------------
 User ID: admin
Password: no') or 1/*
-------------------------------

Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC