Infoproject Biznis Heroj (login.php) Authentication Bypass Vulnerability
Vendor: Infoproject DOO
Product web page: http://www.biznisheroj.mk
Affected version: Plus, Pro and Extra
Summary: Biznis Heroj or Business Hero (èèñ Õåð¼) is the first
software on the Macedonian market that will help you manage your
business processes in your company, such as accounting, production,
acquisition, archiving, inventory, and the Cloud. Using the Cloud
technology, Biznis Heroj allows you to access the system from any
computer at any time through any internet browser.
Desc: The vulnerability is caused due to an error in the logon
authentication script (login.php) and can be exploited to bypass
the login procedure by defining the 'username' and 'password' POST
parameters with an SQL Injection attack, gaining admin privileges.
Tested on: Apache, PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
[14.12.2011] Vulnerability discovered.
[15.12.2011] Contact with the vendor.
[20.12.2011] No response from the vendor.
[21.12.2011] Public security advisory released.
Advisory ID: ZSL-2011-5065
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5065.php
Username: ' or 1=1--
Password: ' or 1=1--