Inmostore 4.0 (SQL Injection)

4 11 2007

Este fallo lo descubri hace un tiempo cuando surfeando por la web encontre este sistema. Es un portal desarrollado en php
para administrar todo lo relacionado con inmobiliaria. También fue publicado en
Security Focus (www.securityfocus.com/bid/24884)  y otros sitios mas sobre seguridad informatica.
He aqui el advisory:

/**********************************************************
* App: Inmostore v4.0
* Vulnerability: SQL Injection
* Discovered by: Keniobats
* Date: 12/07/07
* Risk: High. Gain absolute access to all the system features and passwords disclosure.
* Affected Versions: 4.0 (didn’t test minor versions)
* Vendor: http://www.inmostore.com
*
**********************************************************/Description:
Inmostore it’s a payd software to manage all topics related with real estate.* Problem Description *Admin Login SQL Injection at line 74:
This bug can be exploitable in many ways and also avoided in many ways. I’ll show you a way to exploit it:http://www.vulnerable.com/admin/index.phpUsername: admin
Password: ‘or”=’[................]

if($_POST['ingresar']){
$user=$_POST['user'];
$pass=$_POST['pass'];
$conexion=ConexionLocal();
$consulta=”select * from admin where nick=’$user’ and password=’$pass’”;

[----------------]

/******************************/

Fix:
This is an improved patch ’cause the vendor didn’t respond me. Just as simple like do:

[................]

if($_POST['ingresar']){
$user= mysql_escape_string($_POST['user']); //just escape malicious strings with this.
$pass= mysql_escape_string($_POST['pass']); //same here..
$conexion=ConexionLocal();
$consulta=”select * from admin where nick=’$user’ and password=’$pass’”; //Query safe and clean :D

[----------------]

/******************************/

/** References ***************************
*
* Free Revolution Team
* Security Research
* Keniobats & Leonidaz
* http://www.frteam.com.ar
* Contact:
* Keniobats: luciano.laporta@tuquito.org.ar
* Leonidaz: pablofrias@tuquito.org.ar
******************************************/

* Greets *
To all my friends: Kyon, bombis, romanillo, topo, firu, sorry if i forgot somebody…

« Phrack Bug en Linea 1 Telecom (Argentina) »


Acciones

Información

Deja un comentario