123tkShop 0.9.1 - Remote Authentication Bypass Vulnerability

ID EDB-ID:4733
Type exploitdb
Reporter Michael Brooks
Modified 2007-12-14T00:00:00


123tkShop 0.9.1 Remote Authentication Bypass Vulnerability. CVE-2007-6458. Webapps exploit for php platform

                                            By Michael Brooks
Vulnerability:Sql Injection 
Affects Version 0.9.1. 

An attacker can gain Administrative rights with this authentication bypass exploit:
The payload for the attack is constructed like this:
print base64_encode("'union select 'password'/* :password");

Vulneralbe code is in the ./123tkShop/shop/mainfile.php file in the is_admin function starting on line 156

The attack will work magic_quotes_gpc=On or off because of base64_decode()
The attack will also work with register_globals=Off or On because of mainfile.php line 42:
if (!ini_get("register_globals")) {
Registering globals is dangerous. 

My advice is to use another shopping cart such as OsCommerce. 

An interesting side note is that this url will produce a message:
"I don't like you..."
Interesting sentence,  unfortunately for 123tkShop sentences do not defend against sql injection. 

Merry Christmas. 

# milw0rm.com [2007-12-14]