phpBB Academy at StarTrekGuide

[Aureax]

Spoiler:

Code: Select all

if (isset($_COOKIE['grestul']))
{

    include 'inc/config.php';

    $username = $_COOKIE['grestul']['username'];
    $passcode = $_COOKIE['grestul']['passcode'];

    $query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND pass = '$passcode'";
    $result = mysql_query($query, $db);
}

One could easily modify the cookie to SQL inject the query.

Example:
User sets cookie grestul['username'] to admin' or '1'='1 and gestrul['passcode'] to password or '1'='1
The server executes: SELECT user, pass FROM grestullogin WHERE user = 'admin or '1'='1' AND pass = 'password or '1'='1'
The server selects all usernames and passwords from the database.

Another example:
View admin posts:
User sets cookie grestul['username'] to <own username>' UNION SELECT id, post FROM phpbb3_posts WHERE board='<admin board id>
The server executes: SELECT user, pass FROM grestullogin WHERE user = '<own username>' UNION SELECT id, post FROM phpbb3_posts WHERE board='<admin board id>' AND pass='<own_password>'
The server selects all posts from an admin forum.

[Typo]

I like these

Spoiler:

I see a couple problems that bother me, one, and i think its the obvious one is the un-sanitized cookie used for input in the second half of the script that would let u run just about any code you wanted in the sql query.

The other thing that bothered me is the password was only md5'ed and for some reason was stored in a cookie. This seems like a bad idea, anywhere a password is stored, encrypted or not (lightly in this case), thats just another place the password can be stollen/accessed from. What if the user is on a public machine on which cookies are enabled?

Thanks for another distraction.

Typo