OpenBook version 1.2.2 suffers from a SQL injection vulnerability.
99e3f6e9535131e4d3edf4332578daa55505501be55b27078e97c14c4266ecc7SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: SQl injection
Product: OpenBook
Version: 1.2.2
Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
function auth_user($userid, $password)
{
global $HTTP_POST_VARS;
global $admin_table;
$userid=$HTTP_POST_VARS['userid'];
$password=$HTTP_POST_VARS['password'];
db_connect();
$query="SELECT userid "
."FROM $admin_table "
."WHERE userid='$userid' AND password=password('$password')";
$result=mysql_query($query);
if(!mysql_num_rows($result))
// no matches
{
return 0;
}
else
// match found so return userid
{
$query_data=mysql_fetch_array($result);
return $query_data['userid'];
}
}// end auth_user()
Variable $userid, $password in admin.php are not checked before premises in SQL request, because of this possible produce SQL-injection, after which, any user can gain access to admin panels
Here is idle time example substitutions:
-------------------------------
User ID: admin
Password: no') or 1/*
-------------------------------
Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed