[VIM] false: phpHoo3 Login SQL injection
Steven M. Christey
coley at mitre.org
Tue May 8 22:43:55 UTC 2007
Researcher: iLker Kandemir
Ref: BUGTRAQ phpHoo3 (admin.php) Remote Login Bypass SQL Injection
Vulnerability
http://www.securityfocus.com/archive/1/archive/1/467839/100/0/threaded
Claimed SQL injection.
1) Even the code as quoted in the post, has nothing that involves SQL
(although the product does use sql).
2) egrep 'ADMIN_USER|ADMIN_PASS' *.php yields ZERO uses of $ADMIN_USER
and $ADMIN_PASS besides:
admin.php:
if (($vars["USER"] == $ADMIN_USER) && ($vars["PASS"] == $ADMIN_PASS))
and phpHoo3_config.php (included by config.php):
$ADMIN_USER = "user"; // Username to enter admin mode
$ADMIN_PASS = "pass"; // Password to enter admin mode
So, ADMIN_USER/ADMIN_PASS are not vectors for SQL injection.
Since admin.php requires config.php before the ADMIN_USER/ADMIN_PASS
conditional, there's no "login bypass" possible since
$ADMIN_USER/$ADMIN_PASS can't be overwritten.
A side note, this code is ancient (2001).
- Steve
More information about the VIM
mailing list