Fabiano

Simple Fix for Login Bypass Vulnerability on PHP Application

Before we’re started, let’s getting know about this vulnerability and this bug is almost same with SQL Injection, so this vulnerability letting user directly login to sites without exploiting any other vulnerability.

Several Injection Strings:

'=''or'
‘ or 1=1 or ”=’
‘ or 1=1-
‘ or 1=1#

Then, how we patching that vulnerability? I will patching this bug with addslashes() PHP Function. this function added at PHP4+ and this will add slashes on a string with backslash. this can preventing attacker send quotation to our websites.

How to Patch

1. Let’s see login.php

<?php
mysql_connect(“localhost”,”root”,””) // Connection to database;
mysql_select_db(“example”) // Selecting database;
$user=$_POST[‘user’] // User HTTP Post Requests;
$pass=md5($_POST[‘pass’]) // User HTTP Post Requests;
$check=mysql_query(“select * from admin where user=’$user’ AND pass=’$pass'”) // Querying;
$true=mysql_num_rows($check) // Counting Query Checked;
$r=mysql_fetch_array($check) ;
if($true>0){
 session_start();
 $_SESSION[‘admin’]=$r[‘user’];
 header(“Location:.”);
}else{
 header(“Location:.”);
}
?>

2. Where’s the Bug?

$user=$_POST[‘user’] // User HTTP Post Requests;
$pass=md5($_POST[‘pass’]) // User HTTP Post Requests;

the bug is unfiltered strings, so we only add filter function to filter any malicious strings.

3 . Filter

function sqlfilter($data){
 $filter=mysql_real_escape_string(htmlspecialchars(stripslashes(strip_tags($data, ENT_QUOTES))));
 return $filter;
}

4. we combine all codes abode

<?php
mysql_connect(“localhost”,”root”,””);
mysql_select_db(“example”);
function sqlfilter($data){
 $filter=mysql_real_escape_string(htmlspecialchars(stripslashes(strip_tags($data, ENT_QUOTES))));
 return $filter;
}
$user=sqlfilter($_POST[‘user’]);
$pass=sqlfilter(md5($_POST[‘pass’]));
$check=mysql_query(“select * from admin where user=’$user’ AND pass=’$pass'”);
$true=mysql_num_rows($check);$r=mysql_fetch_array($check) ;
if($true>0){
 session_start();.
 $_SESSION[‘admin’]=$r[‘user’];
 header(“Location:.”);
}else{
 echo “Error”;
}
?>
then we save to login.php and our jobs is done thanks for reading my article 🙂
thanks to Faisyal for his suggestions.

Posted

in

, , , , , ,

by

Tags:

Comments

Leave a Reply