AjaxPortal Authentication Bypass

2006-07-12 / 2006-07-13
Credit: alireza hassani (trueend5 yahoo com)
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-3515
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

KAPDA New advisory Vendor: http://myiosoft.com Vulnerable: AjaxPortal v. 3.0 Bug: Sql Injection (Authentication Bypass) Exploitation: Remote with browser Description: -------------------- AjaxPortal is based on Sajax technology - an open source tool to make programming websites using the Ajax framework known as XMLHTTPRequest or remote scripting as easy as possible.customizable full featured content management tool written in PHP, using javascript and Mysql. Vulnerability: -------------------- Input Validation error in loginADP Function that result in Login bypass when Magic quotes is disabled. Code Snippets: /ajaxp.php Lines: #568-593 function loginADP($username,$password,$remember){ $badlogin = 0; if(isLoggedIn()){ return "Sucsess!"; } $query = "SELECT * FROM ".PREFIX."ajaxp_users WHERE username='$username' AND password=PASSWORD('$password') AND active=1 LIMIT 1"; $result = mysql_query($query); if(mysql_num_rows($result) > 0){ $userinfo = mysql_fetch_array($result); $_SESSION['sess_username'] = $userinfo['username']; $_SESSION['sess_firstname'] = $userinfo['firstname']; $_SESSION['sess_lastname'] = $userinfo['lastname']; $_SESSION['sess_userid'] = $userinfo['user_id']; $_SESSION['sess_accesslevel'] = $userinfo['accesslevel']; $_SESSION['sess_usermd5'] = $userinfo['md5']; $_SESSION['sess_theme_id'] = $userinfo['theme_id']; $_SESSION['sess_last_ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['sess_logged_in'] = 1; $query = "UPDATE ".PREFIX."ajaxp_users SET last_login=NOW(), last_ip="".$_SERVER['REMOTE_ADDR']."" WHERE user_id=".$userinfo['user_id'].""; mysql_query($query); if($remember==1) {$_SESSION['remember']=$userinfo['user_id'];} else { unset($_SESSION['remember']); } $badlogin = 0; return "Sucsess!"; } else { $badlogin = 1; } POC: -------------------- Username:a' or user_id=22/* Password:abcdef Solution: -------------------- No Response from vendor. Original Advisories: -------------------- http://www.kapda.ir/advisory-355.html Credit : -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://www.KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top