-
The attack that I mentioned above using " admin' -- " is ineffective,
however the following attacks work:
To login with a username you are already familiar with, for example admin:
username: admin
password: ' OR '1' = '1
or if you don't know a username:
username: ' OR '1' = '1
password: ' OR '1' = '1
will log you in as the first user in the result set. The patch is still good.
2009-05-13 23:25:47 UTC by nobody
-
The code in auth.php is open to simple SQL injection attacks, note that the input goes unchanged as the query to the database is made:
AUTH.PHP
================
..................
$user = $PHP_AUTH_USER;
$password = $PHP_AUTH_PW;
$query = "select * from users where user = '$user' and password = '$password'";
$result = mysql_db_query("muller", $query);
..................
At no time...
2009-05-13 01:46:51 UTC by nobody
-
Anonymous committed patchset 1 of module CVSROOT to the Muller Messageboard System CVS repository, changing 11 files.
2001-03-16 00:11:29 UTC by nobody
-
registered the Muller Messageboard System project.
2001-03-15 23:08:19 UTC by
