#4 MySQL INJECTION EXPLOIT

THE BUG WAS FOUND IN: index.php

$sql = "SELECT nick, passwd FROM users WHERE nick = \"$nick\" AND passwd =
\"$passwd\"";
$result = mysql_query($sql);

// If user is valid redirect to this page and set the cookie.
// If user is not valid display a try again message.
if(mysql_num_rows($result) == 1)

The input is not sanitized!

THE PROBLEM WITH THE CODE ABOVE IS THAT I CAN INPUT AN SQL INJECTION FOR
THE USERNAME,
AND SINCE YOUR CODE DOES NOT CHECK IF THE USERNAME AND PASSWORD HAVE BEEN
TAMPERED WITH,
MY INJECTION WILL WORK.

If a user were to use this username and password:

Username: SOME_VALID_USERNAME" OR "1"="1 --
Password: anything/blank

They would get access without knowing the password. I have run your program, and by turning off 'magic quotes' and printed that line above, I got into the program without even knowing the password.
**Also keep in mind, that the passwords aren't encrypted in the database.
So if the attacker were to steal your database, they could read each
user's
password and username.

I have written a patch. I tested it and it worked. It is attached.

essentially add the line: $nick = mysql_real_escape_string($nick);

[Anonymous]

iPlanner patch...