mediabox404.txt

`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Product: mediabox404 WebRadio & WebTV manager  
Version: 1.2 Release (and previous)  
URL: http://www.mediabox404.org  
VULNERABILITY CLASS: SQL injection  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[PRODUCT DESCRIPTION]  
This is a group of modules(administration, client, programmation, diffusion) in PHP/MySQL database that allows a webradio to manage their playlists, and so on...  
  
[VULNERABILITY]  
  
Vulnerable script: admin/login_admin_mediabox404.php  
  
[code]  
  
$requete=requete("select Pseudo from t_user where Pseudo='".$User."' and Passe='".$Password."'");  
  
if(mysql_num_rows($requete)==0)  
{  
header("Location:login_admin_mediabox404.php?Fct=Bad_Pseudo");  
}  
else  
{  
  
[/code]  
  
In case magic_quotes_gpc=0, an attacker can inject SQL statements through $User parameter.  
  
Example of exploitation:  
In the login form type "existing_username' or 1 = 1 or Passe='a" in the "User" field and "whatever" in the "Password" field (without double quotes).  
  
After the login bypass, the attacker can administrate the WebRadio.   
  
  
[Bugfix]:  
  
[code]  
  
if (get_magic_quotes_gpc()) {  
$User = stripslashes($User);  
$Password = stripslashes($Password);  
}  
  
$sql_requete= sprintf("select Pseudo from t_user where Pseudo='%s' and Passe='%s'",  
mysql_real_escape_string($User), mysql_real_escape_string($Password));  
$requete=requete($sql_requete);  
  
[/code]  
  
Or grab the last snapshot from the mediabox404 CVS.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[CREDITS]  
Cedric Tissieres  
OS Objectif Securite SA  
http://www.objectif-securite.ch  
16.08.2005  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
`