On Sun, Feb 12, 2012 at 05:12:09PM +0000, rezahmail@xxxxxxxxx wrote: > # Exploit Title: XRayCMS 1.1.1 SQL Injection Vulnerability > # Date: 2/12/2012 > # Author: Dr.web > # Software Link: http://sourceforge.net/projects/xraycms/files/latest/download > # Version: 1.1.1 > # Tested on: Ubuntu > XRay CMS is vulnerable to a SQL Injection attack which allows > authentication bypass into the admins account. If a malicious > user supplies ' or 1=1# into the applications user name field > they will be logged into the applications admin account. > Jan 29, 2012 ? Contacted Vendor No Response > Feb 05, 2012 ? Public Disclosure > Since the vendor did not reply we attempted to create our own > fixes for this issue. The vulnerability exist in ?login2.php? > on lines 20 and 21. > 17 if(!isset($_POST['username'])) header("Location: login.php?error_username"); > 18 if(!isset($_POST['password'])) header("Location: login.php?error_password"); > 19 > 20 $user = $_POST['username']; > 21 $pass = $_POST['password']; > If the lines 20 and 21 are changed to: > $user = mysql_real_escape_string($_POST['username']); > $pass = mysql_real_escape_string($_POST['password']); > This will prevent the sql injection from happening in the user name field. As I did not receive any emails back from rezahmail@ on how author informed vendor I reported this as https://sourceforge.net/tracker/?func=detail&aid=3488241&group_id=298778&atid=1260461 - Henri Salo
