WebSpell Authentication Bypass and arbitrary code execution Vendor : WebSpell URL : http://www.webspell.org/ Version : All Risk : SQL Injection, unchecked file upload Description: webSPELL is a free Content Management System (CMS) for clans and gaming communities, providing all needed features like forums, gallery, clanwar system. Because of some serious flaws in the login and cookie-handling function, login can be easily bypassed and arbitrary php code executed via uploading a php file. Notes: magic_quotes_gpc() has to be set OFF Details: Due to an SQL Injection via the sended 'ws_auth' cookie, WebSpell is vulnerable to an Authentication Bypass. $login_per_cookie = false; if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) { $login_per_cookie = true; $_SESSION['ws_auth'] = $_COOKIE['ws_auth']; } systeminc('login'); [...] if(stristr($_SESSION['ws_auth'], "userid")===FALSE){ $authent = explode(":", $_SESSION['ws_auth']); $ws_user = $authent[0]; $ws_pwd = $authent[1]; $check = safe_query("SELECT userID FROM ".PREFIX."user WHERE userID='$ws_user' AND password='$ws_pwd'"); while($ds=mysql_fetch_array($check)) { $loggedin=true; $userID=$ds['userID']; } } As seen in the above codee, the Cookie 'ws_auth' is divided into two parts: The userid and the password. With the following cookie you can bypass this function and login as admin(userid 1): 1;' OR '1'='1 When 'logged in' an PHP-file with arbitrary code can be uploaded via the "add squad" feature. Solution: Use mysql_real_escape_String() or addslashes() for the safe_query() Credits: Robin Verton < r.verton at gmail com>