#2 SQL Injection Vulnerability

[Anonymous]

The project looks only partially implemented, and I'm not sure if it's dead, but if you look at some of the code and start with login.php.txt and track the username and password information is taken in:

LOGIN.PHP.TXT

// the user isn't logged in, display the login form
?>
<input type="text" name="usrName"><input type="password" name="usrPassWord">
<?

the other files in the project aren't implemented, but the next document that handles usernames and passwords is the auth method in login.php:

LOGIN.PHP

function auth($level, $usrName, $usrPassWord) {
global $usrCookie, $usrName, $usrPassWord;
require ("config/config.php");

......

else if (isset($usrName) AND isset($usrPassWord)){
// login the user
return login($usrName, $usrPassWord, $level);
}

.......

then the variables are passed to the login function unchanged:

.......

function login($usrName, $usrPassWord, $level) {
global $usrName, $usrPassWord;
require ("config/config.php");
// connect to server
$dbConn = mysql_connect($setMyHost, $setMyUser, $setMyPassWord);

// select database at the server
mysql_select_db($setMyDataBase, $dbConn);

// md5 password
$usrPassWord = md5($usrPassWord);

// create and execute query
$sql = "SELECT userLevel, allowCookies FROM users WHERE name='$usrName' AND passWord='$usrPassWord'";

$query = mysql_query ("$sql", $dbConn);

// how many rows are in the result?
$rows = mysql_num_rows($query);
//if one it's ok

if ($rows == 1) {

.......

none of the inputs are checked before it gets to this point and the variables are passed into the query unmolested, so a possible attack would be:

username: admin' --
password: random

password has to be filled because of the check in auth() that sees if both usrName AND usrPassWord are set. once the bogus username and pass are through there the attacker can login as whoever they want to and do anything they need to do (like build their own admin account). There are other potential attacks since the user can put whatever else they want after the bogus username. attached is a patched login.php that would take care of the problem. It uses the mysql_real_escape_string() function built into php (in case the authors were relying on the magic quoting behavior of PHP, that is not recommended and will be depreciated in PHP 6).

[Nobody/Anonymous]

login.php patch

[Nobody/Anonymous]

Because of the md5 hashing the vulnerability is weaker here and the above proposed exploit:

username: admin' --
password: random

won't be effective. The attack would be more of a brute force where:

username: ' OR '1'='1
password: some password

what will happen here is by modifying the username query an attacker can find any username using a password of choice.