SQL Injection by using Cookie Poisoning for Website Baker Version 2.6.5 and before

2007.01.29
Credit: Rolf Huisman
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Website Baker Version 2.6.5 and before contains a SQL injection. This can be exploited by using Cookie Poisoning Manufacturer was notified, but want to ignore the request pending release version 3.0 Poison the cookie for the login page with the REMEMBER_KEY variable with a standard sql injection ('; <Insert Your SQL Statment here> --) Failing function is in class.login.php // Function to check if a user has been remembered function is_remembered() { if(isset($_COOKIE['REMEMBER_KEY']) AND $_COOKIE['REMEMBER_KEY'] != '') { // Check if the remember key is correct $database = new database(); $check_query = $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1"); This function is called by the login screen, hence the vulnerability. When changing the user table... Free admin login :P HotFix: Change $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1"); into $database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE remember_key = '".addslashes($_COOKIE['REMEMBER_KEY'])."' LIMIT 1"); $query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".substr($_COOKIE['REMEMBER_KEY'], 0, 11)."' LIMIT 1"); into $query_details = $database->query("SELECT * FROM ".$this->USERS_TABLE." WHERE user_id = '".substr(addslashes($_COOKIE['REMEMBER_KEY']), 0, 11)."' LIMIT 1"); With Regards Rolf Huisman


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top