Subject: SQL Injection by using Cookie Poisoning for Website Baker Version 2.6.5 and before
Date: Mon, 22 Jan 2007 23:36:26 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <17C966984E39B34EB38FF57901EB740E3222@domain1.coresystems.local.>
X-MS-Has-Attach:
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
X-MS-TNEF-Correlator:
Thread-Topic: SQL Injection by using Cookie Poisoning for Website Baker Version 2.6.5 and before
Thread-Index: Acc+dQSwzeWWNQRnRXOf2l81DAY6PQAAK3pA
From: "Rolf Huisman" <r.l.r.huisman@home.nl.>
To: <bugtraq@securityfocus.com.>
X-AtHome-MailScanner-Information: Neem contact op met [email protected] voor meer informatie
X-AtHome-MailScanner: Found to be clean
X-Virus-Scanned: antivirus-gw at tyumen.ru
Website Baker Version 2.6.5 and before contains a SQL injection.
This can be exploited by using Cookie Poisoning
Manufacturer was notified, but want to ignore the request pending =
release version 3.0
Poison the cookie for the login page with the REMEMBER_KEY variable with =
a standard sql injection ('; <Insert Your SQL Statment here> --)
Failing function is in class.login.php=20
=A0=A0=A0=A0=A0 // Function to check if a user has been remembered
=A0=A0=A0=A0=A0 function is_remembered() {
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 if(isset($_COOKIE['REMEMBER_KEY']) AND =
$_COOKIE['REMEMBER_KEY'] !=3D '') {
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 // Check if the =
remember key is correct
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 $database =3D new =
database();
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 $check_query =3D =
$database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE =
remember_key =3D '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1");
This function is called by the login screen, hence the vulnerability.
When changing the user table... Free admin login :P
HotFix:=20
Change $database->query("SELECT user_id FROM ".$this->USERS_TABLE." =
WHERE remember_key =3D '".$_COOKIE['REMEMBER_KEY']."' LIMIT 1");=20
into=20
$database->query("SELECT user_id FROM ".$this->USERS_TABLE." WHERE =
remember_key =3D '".addslashes($_COOKIE['REMEMBER_KEY'])."' LIMIT 1");
$query_details =3D $database->query("SELECT * FROM =
".$this->USERS_TABLE." WHERE user_id =3D =
'".substr($_COOKIE['REMEMBER_KEY'], 0, 11)."' LIMIT 1");=20
into
$query_details =3D $database->query("SELECT * FROM =
".$this->USERS_TABLE." WHERE user_id =3D =
'".substr(addslashes($_COOKIE['REMEMBER_KEY']), 0, 11)."' LIMIT 1");=20
With Regards
Rolf Huisman
