Auth.class.php security hole

phpvms / phpvms_v2

Virtual Airline Management (not maintained)

http://www.phpvms.net

BSD 3-Clause "New" or "Revised" License

41 stars 46 forks source link

Auth.class.php security hole #119

Closed Oxymoron290 closed 10 years ago

Oxymoron290 commented 10 years ago

Function - ProcessLogin($useridoremail, $password) Lines - 256 through 258

$emailaddress = DB::escape($useridoremail);
                                $sql = 'SELECT * FROM ' . TABLE_PREFIX . 'pilots
                                                WHERE email=\''.$useridoremail.'\'';

Warning: $emailaddress is unused in this scope. Warning: no protection for variable $useridoremail in query $sql.

Suggested fix: Change the value of $sql to the following:

$sql = 'SELECT * FROM ' . TABLE_PREFIX . 'pilots
                        WHERE email=\'' . $emailaddress . '\'';

equinoxmatt commented 10 years ago

It isn't really an issue. It should be fixed, but no security hole as the password is checked separately.

i.e in the login, I can enter: security@phpvms.com OR 'x'='x

This would then throw an error saying I have entered the wrong password. This means my SQL injection has been succesful. I have returned some data. I have no way of exploiting this though as the password field is protected.

I do agree though, it needs to be fixed.

equinoxmatt commented 10 years ago

ok I take it back, I just exploited my local copy. This is now urgent

Oxymoron290 commented 10 years ago

Yay! I helped!