AOH :: HP Unsorted O :: BU-1651.HTM

OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass



OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass
OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass



OCS Inventory NG Server <= 1.3b3 (login) Remote Authentication Bypass


Software      : Open Computer and Software (OCS) Inventory NG
Download : http://www.ocsinventory-ng.org/ 
Discovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)
Version       : 1.03-beta3 and prior
Impact        : Critical
Remote        : Yes (No authentication is needed)


== Description =
Open Computer and Software (OCS) Inventory Next Generation (NG) is an
application designed to help a network or system administrator keep track
of the computers configuration and software that are installed on the network.

The vulnerability is a sql injection which exists in header.php file.
Attacker could pass a special sql string which can used to create/modify
information stored in the database or authenticated in any user.

script : header.php

102 if(isset($_POST["login"])) {
103   $req="SELECT id, accesslvl, passwd FROM operators WHERE
id='".$_POST["login"]."'";
104   $res=mysql_query($req,$_SESSION["readServer"]) or die(mysql_error());
105
106   if($row=@mysql_fetch_object($res))
107   {
108     // DL 25/08/2005
109     // Support new MD5 encrypted password or old clear password
for login only
110     if (($row->passwd != md5( $_POST["pass"])) and
111         ($row->passwd != $_POST["pass"])) {

== Exploit =

OCSReports : value="http://127.0.0.1/ocsreports/" />
Login :

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.