Small-CMS version 1.0 suffers from authentication bypass and remote SQL injection vulnerabilities.
f6e3e1d365a67112d375c748e978fe5cdcb63a6a8abc5ccbe6ebc04c6d00c265
[+] Exploit title: Small-CMS 1.0 - SQL injection/Authentication Bypass
[+] Date: 2/10/2012
[+] Author: Phizo
[+] Vendor: http://www.small-cms.com/
[+] Version: 1.0
[+] Category: webapps
[+] Google dork: intitle:"Find it yourself."
[+] Tested on: Windows 7 | Firefox 15.0.1
=================================
default.class.php ~ lines 220-230
=================================
function checkCredentials($username, $password){
$obscure = $this->obscure($password);
$query = "SELECT * FROM ".$this->prefix_db."users WHERE user_name = '$username' AND user_pass = '$obscure' AND user_active = '1' LIMIT 1;";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
if ($row) {
return true;
} else {
return false;
}
}
=================================
default.class.php ~ lines 260-275
=================================
function setSession($username,$password,$cookie){
$query = "SELECT id FROM ".$this->prefix_db."users WHERE user_name = '$username' AND user_pass = '$password' AND user_active = '1' LIMIT 1;";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$values = array($username,$this->obscure($password),$row['id']);
$session = implode(",",$values);
if($cookie=='on'){
//cookies
setcookie("$this->session_name", $session, time()+60*60*24*100,'/');
} else {
$_SESSION["$this->session_name"] = $session;
}
}
=======================
login.php ~ lines 27-33
=======================
if ($login->checkCredentials($_POST['username'], $_POST['password'])){
$login->setSession($_POST['username'],$_POST['password'],$_POST['cookie']);
$login->redirect('index.php?page=admincp');
} else {
$error = '';
}
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed