#2 SQL Injection Vulnerability
This project is still in the beta stage, but there seems to be little in the way of security on this front. Some of the portions for input don't seem very well formed, but it looks like the code is vulnerable to a simple SQL injection vulnerability. in index.php line 7 it can be seen that the input isn't touched in the login portion:
...
// -------- Login BEGIN --------
if(isset($PHP_AUTH_USER) || (isset($PHP_AUTH_PW))){
$query="SELECT id,username,password,admin FROM user WHERE username='$PHP_AUTH_USER' AND password='$PHP_AUTH_PW'";
$result=mysql_query($query);
if(mysql_num_rows($result)>=0){
$auth=TRUE;
list($userid,$usern,$pass,$admin)=mysql_fetch_row($result);
}
...
a simple exploit here is
username: admin' --
password: random
this would allow anyone to login as the admin (assuming admin is the administrator username), but given as many chances as they want they can log on as anyone potentially.
I've attatched a patch below using mysql_real_escape_string() which would take care of the problem.
index php patch
The attack that I mentioned above using " admin' -- " is ineffective,
however the following attacks work:
To login with a username you are already familiar with, for example admin:
username: admin
password: ' OR '1' = '1
or if you don't know a username:
username: ' OR '1' = '1
password: ' OR '1' = '1
will log you in as the first user in the result set