search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OneOrZero AIMS authentication bypass and SQLi vulnerabilities

Vulnerability Note VU#800227

Original Release Date: 2011-10-13 | Last Revised: 2011-10-13


OneOrZero Action & Information Management System (AIMS) is vulnerable to an authentication bypass and SQL injection.


According to the vendor's website:

"OneOrZero AIMS is a powerful enterprise ready suite that includes a help desk, knowledge base, time manager and reporting system supported by a highly configurable and extensible Action & Information Management System that allows you to 'build your own system' on the fly."

AIMS is susceptible to an authentication bypass. An attacker can generate a session cookie for $_COOKIE['oozimsrememberme'] and log in as an administrator without providing a password.

AIMS is also susceptible to SQL injection. On line 136 of lib\ooz_access.php the $cookieName variable that originates from an attacker controllable cookie is passed to a SQL statement without any filtering:

$sql = "SELECT * FROM " . OOZ_SET_TABLE_PREFIX . "users WHERE user_name = '" . $cookieName . "'";
$userResult = DB::query($sql, DSN, OOZ_SET_SHOW_SQL);



An unauthenticated remote attacker may be able to bypass authentication or leak database information.


We are currently unaware of a practical solution to this problem.

Vendor Information


OneOrZero Affected

Updated:  October 12, 2011



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector



Thanks to Yuri Goltsev of Positive Technologies for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Severity Metric: 0.07
Date Public: 2011-10-12
Date First Published: 2011-10-13
Date Last Updated: 2011-10-13 14:49 UTC
Document Revision: 8

Sponsored by CISA.