CVE-2011-2944

An unauthenticated remote attacker sends a POST request to `login.php` with a crafted `username` parameter containing SQL injection syntax, such as `' OR activated=1-- a` [ref_id=1]. The application fails to neutralize special SQL characters in the input, allowing the attacker to bypass authentication and log in as the first valid admin user [CWE-89]. The attacker then receives a session cookie, which can be used to access administrative functions including file upload, extension whitelisting, and CAPTCHA disabling [ref_id=1].

The vulnerability exists in `login.php` of MegaLab The Uploader versions before 2.0.5. The `username` parameter is passed directly into an SQL query without sanitization, as demonstrated by the Metasploit module's injection string `' OR activated=1-- a` [ref_id=1].

The advisory does not include a patch diff, but the fix is described as upgrading to version 2.0.5 [ref_id=1]. The remediation would involve properly escaping or parameterizing the `username` input in the SQL query within `login.php` to prevent injection of arbitrary SQL commands [CWE-89]. No patch code is available in the provided bundle.

1. Send a POST request to `login.php` with body: `username=' OR activated=1-- a&password=a&login=Log-IN` [ref_id=1]. 2. If the response contains "Log-In has been done successfully" (English) or "stato effettuato con successo" (Italian), the SQL injection succeeded [ref_id=1]. 3. Extract the `Set-Cookie` header from the response to obtain an authenticated admin session [ref_id=1].