Homey BNB SQL Injection Vulnerability Allowing Authentication Bypass

A SQL injection vulnerability has been identified in Homey BNB version 4, specifically within the administration panel login. This vulnerability allows unauthenticated attackers to bypass authentication by injecting SQL syntax into the username and password fields. By manipulating the authentication query with SQL operators, attackers can gain unauthorized access to the admin panel.

Impact

Exploitation of this vulnerability allows for SQL injection, which can be used to manipulate the database, potentially leading to unauthorized data access or modification. In this case, it specifically allows for authentication bypass, granting unauthorized users access to the administration panel.

Reproduction

To reproduce this vulnerability, navigate to the admin login page. Inject SQL syntax into the username and password fields, using operators such as '=' and 'or' to manipulate the authentication query. Once the injection is successful, access the admin panel.