SQL Injection Vulnerability
Status: Beta
Brought to you by:
mykel
Menu
▾
▴
#1 SQL Injection Vulnerability
open
nobody
None
5
2009-05-13
2009-05-13
Anonymous
No
The code in auth.php is open to simple SQL injection attacks, note that the input goes unchanged as the query to the database is made:
AUTH.PHP
..................
$user = $PHP_AUTH_USER;
$password = $PHP_AUTH_PW;
$query = "select * from users where user = '$user' and password = '$password'";
$result = mysql_db_query("muller", $query);
..................
At no time are either of them checked for characters that might enable an attack, so a simple attack on this system would be:
username: admin' --
password: random
The malicious user can login as whomever they want and insert whatever code they like after the "admin'". It seems that the security from this vulnerability leans on the magic quoting behavior of PHP, but that will be depreciated in PHP 6 and since it's not recommended to keep it active, many PHP hosts would have disabled it and would thus be vulnerable while running this software. I've wrttten a patched auth.php and attached it. It uses the built in mysql_real_escape_string() function to solve the problem.
auth.php patch
The attack that I mentioned above using " admin' -- " is ineffective,
however the following attacks work:
To login with a username you are already familiar with, for example admin:
username: admin
password: ' OR '1' = '1
or if you don't know a username:
username: ' OR '1' = '1
password: ' OR '1' = '1
will log you in as the first user in the result set. The patch is still good.