Bugtraq mailing list archives

AdMentor Login Flaw

From: Frank <thran60 () hotmail com>
Date: 21 Feb 2002 10:25:54 -0000



Regarding : AdMentor v2.11 and earlier
Homepage: http://www.aspcode.net

AdMentor allows any user to login as admin.

The base path of the login is usually :

http://www.someserver.com/admentor/admin/admin.a
sp

By using Login : ' or ''='   , and Password : ' or ''='
We create a legal query because it will get appended 
as :SELECT row FROM table WHERE login = '' or 
''=''

Same goes for the password. This allows us to login 
without any trouble as the main admin. Vendor has 
been warned of the bug, but has not released a patch 
yet. Temporary solution, filter out the bad chars ' " ~ \ 
/ by using the following piece of javascript :

function RemoveBad(strTemp) { 
    strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|
\-/g,""); 
    return strTemp; }

And calling it from within the asp script :

var login = var TempStr = RemoveBad
(Request.QueryString("login"));

var password = var TempStr = RemoveBad
(Request.QueryString("password"));

Iam not sure about the correct vars set in the form, 
you might want to tweak it just a bit. Havent drunk my 
coffee yet :)

Credits:

Bug found by thran, thran60 () hotmail com

Current thread:

AdMentor Login Flaw Frank (Feb 21)