Recent Auth Bypass vulnerabilities

Here is short summary of recent Auth Bypass vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

Authentication Bypass by SQL Injection in Social Share.

Description.

Vulnerable script: functions.php

Parameter username is not properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and log in without password.

Condition: magic_quotes: off

Exploit.

Username: anytext' or verified=1#

Password: arbitrary_text

Solution

Solution is not available.

Other details >>

Cookie authentication bypass in Alguest.

Description.

Cookie-based authentication lack is present in admin.php, opzioni.php, elimina.php, modifica.php scripts. Administration functions are threatened

Exploit.

There is no real password comparison for admin user. Administration scripts check only existence of admin cookie.

Cookie: admin=anyvalue

Solution

Solution is not available.

Other details >>

SQL injection Auth Bypass in Easy Banner Free.

Description.

Vulnerability exists in member.php script. User-defined parameters username and password are not properly sanitized against SQL injections. This can be used to bypass authentication or execute arbitrary SQL query.

Exploit.

Authentication bypass in member.php is possible using one of the following SQL injections:

username: ' or 1#

password: ' or 'a'='a

magic_quotes_gpc = off

Solution

Solution is not available.

Other details >>

Cookie Auth Bypass in Hot Links SQL.

Description.

cookie Auth Bypass vulnerability found in Hot Links SQL 3. It is possible to get access to admin panel without password comparison.

Exploit.

There is no password comparison during authentication process. Actually script checks only admin cookie. If it's value is logged in user is authenticated as Admin.

Cookie: admin=logged in

Solution

Solution is not available.

Other details >>

Authentication Bypass and SQL Injection in MD News.

Description.

Vulnerable script: admin.php

Parameter id is not properly sanitized before being used in SQL query. This can be used to make any SQL query by injecting arbitrary SQL code.

"Administration Area" script has no any authentication. Any user can get access to administrator's area. (Just need to know script name)

Exploit.

SQL Injection Example:

http://[host]/admin.php?action=full&id=-1 union select 1,2,3,4,5

Solution

Solution is not available.

Other details >>
Advisories by vuln type