#1 SQL Injection Vulnerability
When tracking user input from login.html directly to login.php it's clear that user input isn't sanitized before the sql query is sent to the database server. This fact and the way the query is structured affords an attacker the ability to compromise the system with a simple SQL injection attack. note the code below from login.php:
LOGIN.PHP
...........
if ($submit) {
if \(isset\($username\) && isset\($password\)\) \{
$query\_login = "
select id, admin from users
where username = '$username'
and password = '$password'
";
$db->query\($query\_login\);
$db->next\_record\(\);
if \($db->num\_rows\(\) == 1\) \{
............
this code is completely vulnerable to the simple attack:
username: admin' --
password: random
password has to be filled in because of the check for it's existence, but past that the malicious user can login as whomever they want and insert whatever code they like after the "admin'". It seems that the security from this vulnerability leans on the magic quoting behavior of PHP, but that will be depreciated in PHP 6 and since it's not recommended to keep it active, many PHP hosts would have disabled it and would thus be vulnerable while running this software. I've wrttten a patched login.php and attached it. It uses the built in mysql_real_escape_string() function to solve the problem. For good measure I also have it check the password for good measure.
login.php patch
The attack that I mentioned above using " admin' -- " is ineffective,
however the following attacks work:
To login with a username you are already familiar with, for example admin:
username: admin
password: ' OR '1' = '1
or if you don't know a username:
username: ' OR '1' = '1
password: ' OR '1' = '1
will log you in as the first user in the result set. The patch is good.