#213 MySQL INJECTION ATTACK

THE BUG IS IN: /includes/checkuser.inc.php

$query = "SELECT * FROM security ";
// query checks if user is in DB and if the passwords suit
$query .= "WHERE s_user='$txtUsername' AND s_password='$txtPassword';";
$mysql_result = query($query);
$row = mysql_fetch_row($mysql_result);
if ($row) <--- ONLY CHECKING IF RESULT IS NOT EMPTY ...

The input is not sanitized! An attacker can put in an SQL injection and
obtain privileged access. By only checking to see if the result is not
empty, that gives the attacker the ability to inject their own MySQL query.

If a user were to use this username and password:

Username: SOME_VALID_USERNAME' OR 1=1 --
Password: anything

They would get access without knowing the password.
**Also keep in mind, that the passwords aren't encrypted in the database. So if the attacker were to steal your database, they could read each user's password and username.

I have written a patch. It is attached.

essentially add the line: $txtUsername = mysql_real_escape_string($txtUsername);

[Anonymous]

checkuser patch