Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13455
HistoryJul 09, 2006 - 12:00 a.m.

[KAPDA::#46] - AjaxPortal Authentication Bypass

2006-07-0900:00:00
vulners.com
10
JSON

KAPDA New advisory

Vendor: http://myiosoft.com
Vulnerable: AjaxPortal v. 3.0
Bug: Sql Injection (Authentication Bypass)
Exploitation: Remote with browser

Description:

AjaxPortal is based on Sajax technology - an open
source tool to make programming websites using the
Ajax framework known as XMLHTTPRequest or remote
scripting as easy as possible.customizable full
featured content management tool written in PHP,
using
javascript and Mysql.

Vulnerability:

Input Validation error in loginADP Function that
result in Login bypass when Magic quotes is
disabled.

Code Snippets:
/ajaxp.php Lines: #568-593

function loginADP($username,$password,$remember){
$badlogin = 0;
if(isLoggedIn()){ return "Sucsess!"; }
$query = "SELECT * FROM
".PREFIX."ajaxp_users
WHERE username='$username' AND
password=PASSWORD('$password') AND active=1
LIMIT
1";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0){
$userinfo = mysql_fetch_array($result);
$_SESSION['sess_username'] =
$userinfo['username'];
$_SESSION['sess_firstname'] =
$userinfo['firstname'];
$_SESSION['sess_lastname'] =
$userinfo['lastname'];
$_SESSION['sess_userid'] =
$userinfo['user_id'];
$_SESSION['sess_accesslevel'] =
$userinfo['accesslevel'];
$_SESSION['sess_usermd5'] =
$userinfo['md5'];
$_SESSION['sess_theme_id'] =
$userinfo['theme_id'];
$_SESSION['sess_last_ip'] =
$_SERVER['REMOTE_ADDR'];
$_SESSION['sess_logged_in'] = 1;
$query = "UPDATE ".PREFIX."ajaxp_users
SET
last_login=NOW(),
last_ip=\"".$_SERVER['REMOTE_ADDR']."\" WHERE
user_id=".$userinfo['user_id']."";
mysql_query($query);
if($remember==1)
{$_SESSION['remember']=$userinfo['user_id'];}
else {
unset($_SESSION['remember']); }
$badlogin = 0;
return "Sucsess!";
} else {
$badlogin = 1;
}
POC:

Username:a' or user_id=22/*
Password:abcdef

Solution:

No Response from vendor.

Original Advisories:

http://www.kapda.ir/advisory-355.html

Credit :

Discovered & released by trueend5 (trueend5 kapda
ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com

JSON