THE BUG WAS FOUND IN: index.php
$sql = "SELECT nick, passwd FROM users WHERE nick = \"$nick\" AND passwd = \"$passwd\"";
$result = mysql_query($sql);
// If user is valid redirect to this page and set the cookie.
// If user is not valid display a try again message.
if(mysql_num_rows($result) == 1)
The input is not sanitized!
THE PROBLEM WITH THE CODE ABOVE IS THAT I CAN INPUT AN SQL INJECTION FOR THE USERNAME,
AND SINCE YOUR CODE DOES NOT CHECK IF THE USERNAME AND PASSWORD HAVE BEEN TAMPERED WITH,
MY INJECTION WILL WORK.
If a user were to use this username and password:
Username: SOME_VALID_USERNAME\" OR 1=1 --
Password: anything
They would get access without knowing the password.
**Also keep in mind, that the passwords aren't encrypted in the database.
So if the attacker were to steal your database, they could read each user's
password and username.
I have written a patch. It is attached.
essentially add the line: $nick = mysql_real_escape_string($nick);
