~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Product: mediabox404 WebRadio & WebTV manager Version: 1.2 Release (and previous) URL: http://www.mediabox404.org VULNERABILITY CLASS: SQL injection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [PRODUCT DESCRIPTION] This is a group of modules(administration, client, programmation, diffusion) in PHP/MySQL database that allows a webradio to manage their playlists, and so on... [VULNERABILITY] Vulnerable script: admin/login_admin_mediabox404.php [code] $requete=requete("select Pseudo from t_user where Pseudo='".$User."' and Passe='".$Password."'"); if(mysql_num_rows($requete)==0) { header("Location:login_admin_mediabox404.php?Fct=Bad_Pseudo"); } else { [/code] In case magic_quotes_gpc=0, an attacker can inject SQL statements through $User parameter. Example of exploitation: In the login form type "existing_username' or 1 = 1 or Passe='a" in the "User" field and "whatever" in the "Password" field (without double quotes). After the login bypass, the attacker can administrate the WebRadio. [Bugfix]: [code] if (get_magic_quotes_gpc()) { $User = stripslashes($User); $Password = stripslashes($Password); } $sql_requete= sprintf("select Pseudo from t_user where Pseudo='%s' and Passe='%s'", mysql_real_escape_string($User), mysql_real_escape_string($Password)); $requete=requete($sql_requete); [/code] Or grab the last snapshot from the mediabox404 CVS. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [CREDITS] Cedric Tissieres OS Objectif Securite SA http://www.objectif-securite.ch 16.08.2005 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
