Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Centre 1.0 PHP injection, bypass authentication + possible SQL injection.
From: "Manip" <Bug () thelostsite co uk>
Date: Fri, 2 Jul 2004 01:44:22 +0100

Summary: The Miller Group, Inc. [www.miller-group.net] announces the release of Centre, a free student information system for public and non-public schools. Centre is a web-based, open source, student management product with features that include scheduling, grade book, attendance, eligibility, transcripts, and more. And, of course, student and employee information screens are critical components of Centre.

Version: 1.0

Exploit: Centre does not check that a user is logged in and has sufficient permissions to perform admin tasks. An example of this can be seen when attempting to create a new account:

http://demo.miller-group.net/index.php?modfunc=create_account&staff&username=admin&staff_id=new

However this problem exists at almost every level within the software. There are also poor checks carried out when passing user data which could lead to SQL injection problems. There is a more serious problem within modules.php, there is *no checking on the path of the module and could lead to PHP injection.

Modules.php?modname=../../../MyCode/Stuff.php

Fix: Disable centre until an update is released (the problems are too extensive).


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Centre 1.0 PHP injection, bypass authentication + possible SQL injection. Manip (Jul 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault