[VIM] false: phpHoo3 Login SQL injection

Steven M. Christey coley at mitre.org
Tue May 8 22:43:55 UTC 2007


Researcher: iLker Kandemir
Ref: BUGTRAQ phpHoo3 (admin.php) Remote Login Bypass SQL Injection
Vulnerability
    http://www.securityfocus.com/archive/1/archive/1/467839/100/0/threaded

Claimed SQL injection.

1) Even the code as quoted in the post, has nothing that involves SQL
   (although the product does use sql).

2) egrep 'ADMIN_USER|ADMIN_PASS' *.php yields ZERO uses of $ADMIN_USER
   and $ADMIN_PASS besides:

admin.php:

  if (($vars["USER"] == $ADMIN_USER) && ($vars["PASS"] == $ADMIN_PASS))

and phpHoo3_config.php (included by config.php):

  $ADMIN_USER = "user";                   // Username to enter admin mode
  $ADMIN_PASS = "pass";                   // Password to enter admin mode

So, ADMIN_USER/ADMIN_PASS are not vectors for SQL injection.

Since admin.php requires config.php before the ADMIN_USER/ADMIN_PASS
conditional, there's no "login bypass" possible since
$ADMIN_USER/$ADMIN_PASS can't be overwritten.

A side note, this code is ancient (2001).

- Steve


More information about the VIM mailing list