[VIM] false: phpHoo3 Login SQL injection

Steven M. Christey coley at mitre.org
Tue May 8 22:43:55 UTC 2007

Researcher: iLker Kandemir
Ref: BUGTRAQ phpHoo3 (admin.php) Remote Login Bypass SQL Injection

Claimed SQL injection.

1) Even the code as quoted in the post, has nothing that involves SQL
   (although the product does use sql).

2) egrep 'ADMIN_USER|ADMIN_PASS' *.php yields ZERO uses of $ADMIN_USER
   and $ADMIN_PASS besides:


  if (($vars["USER"] == $ADMIN_USER) && ($vars["PASS"] == $ADMIN_PASS))

and phpHoo3_config.php (included by config.php):

  $ADMIN_USER = "user";                   // Username to enter admin mode
  $ADMIN_PASS = "pass";                   // Password to enter admin mode

So, ADMIN_USER/ADMIN_PASS are not vectors for SQL injection.

Since admin.php requires config.php before the ADMIN_USER/ADMIN_PASS
conditional, there's no "login bypass" possible since
$ADMIN_USER/$ADMIN_PASS can't be overwritten.

A side note, this code is ancient (2001).

- Steve

More information about the VIM mailing list