[VIM] false: phpHoo3 Login SQL injection
Steven M. Christey
coley at mitre.org
Tue May 8 22:43:55 UTC 2007
Researcher: iLker Kandemir
Ref: BUGTRAQ phpHoo3 (admin.php) Remote Login Bypass SQL Injection
Claimed SQL injection.
1) Even the code as quoted in the post, has nothing that involves SQL
(although the product does use sql).
2) egrep 'ADMIN_USER|ADMIN_PASS' *.php yields ZERO uses of $ADMIN_USER
and $ADMIN_PASS besides:
if (($vars["USER"] == $ADMIN_USER) && ($vars["PASS"] == $ADMIN_PASS))
and phpHoo3_config.php (included by config.php):
$ADMIN_USER = "user"; // Username to enter admin mode
$ADMIN_PASS = "pass"; // Password to enter admin mode
So, ADMIN_USER/ADMIN_PASS are not vectors for SQL injection.
Since admin.php requires config.php before the ADMIN_USER/ADMIN_PASS
conditional, there's no "login bypass" possible since
$ADMIN_USER/$ADMIN_PASS can't be overwritten.
A side note, this code is ancient (2001).
More information about the VIM