Bloofox CMS SQL Injection (Authentication bypass) , Source code

看板Bugtraq作者admin.時間18年前 (2008/01/21 23:39)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

########################## WwW.BugReport.ir ######################### # # AmnPardaz Security Research Team # # Title:Bloofox CMS Vulnerabilities # Vendor: http://www.bloofox.com # Bugs: SQL Injection (Authentication bypass) , Source code disclosure # Vulnerable Version: 0.3 (prior versions also may be affected) # Exploitation: Remote with browser # Fix Available: No! ################################################################ #################### - Description: #################### BloofoxCMS is a free open source content management system (CMS). #################### - Vulnerability: #################### +-->SQL Injection (authentication bypass) Code Snippet: index.php Line#107-116 if(isset($_POST['login']) || $_GET['login'] =3D=3D "true") { =09if($perm->login($db,$_POST['username'],$_POST['password']) =3D=3D 1) { =09=09$login_ok =3D 1; =09=09if($_GET['login'] =3D=3D "true") { =09=09=09load_url("index.php"); =09=09} =09} else { =09=09$login_failed =3D 1; =09} } system/class_permissions.php Line#63-68 =09function login($db,$user,$pass) =09{ =09=09global $tbl_prefix; =09=09$pass =3D md5($pass); =09=09$db->query("SELECT uid,username,password,groups FROM =20 ".$tbl_prefix."sys_user WHERE username =3D '".$user."' && password =3D =20 '".$pass."' && blocked =3D '0' && deleted =3D '0' && status =3D '1' ORDER BY= =20 username"); =09=09$total =3D $db->num_rows(); =09=09. =09=09. =09=09. There is no input validation here therefore its possible for a remote =20 attacker to bypass login mechanism when magic quotes is disabled! POC : Username: admin' or 1=3D1 /* Password: something +--> Source code disclosure Code Snippet: file.php Line#25-49 $file =3D $_GET['file']; // Block external linkings $HTTP_REFERER =3D $_SERVER['HTTP_REFERER']; if(strpos($HTTP_REFERER,$_SERVER['SERVER_NAME']) =3D=3D 0) { =09die("Forget It!"); } $basedir =3D getcwd()."/media/files"; // create file name $filename =3D sprintf("%s/%s", $basedir, $file); // check file on server if(!file_exists($filename)) { =09die("File not found!"); } header("Content-Type: application/octet-stream"); $save_as_name =3D basename($file); header("Content-Disposition: attachment; filename=3D\"".$save_as_name."\""); // output readfile($filename); Input passed to the "file" parameter is not properly sanitised before =20 being used. This can be exploited to display arbitrary files through directory =20 traversal attacks or by passing full paths. POC: GET: =20 http://servername/bloofoxCMS_0.3/file.php?file=3D../../system/class_mysql.ph= p Referer: http://servername/ #################### - Credit : #################### Original advisory: http://bugreport.ir/?/27 AmnPardaz Security Research Team Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 admin. 的文章

文章代碼(AID): #17bBoj00 (Bugtraq)