Land Down Under 601

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Land Down Under 601
From: <gdayworld@xxxxxxxxxxx>
Date: 8 Dec 2003 05:43:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


  Application :- Land Down Under
=+++++++++++++++++++++++++=

http://ldu.neocrome.net/

Versions Affect: LDU 601 (other versions not checked)
Risk Factor - Undertimend
Impact - In the least, the attacker could gain access to a users account 
(unless logged in)
Type of Exploit - SQL Injection (auth.php)
Vendor Status: Vendor Notified
Date: 08 December, 2003
Credit: HelloWorld
Tested on a localhost, magic_quotes_goc off. Php 4.0.1

1) Introduction
2) The vulnerability
3) The exploit
4) The fix
5) Credit/Conclusion


1) Introduction

This php script is easily exploited. It comes in a form of an SQL injection, 
through the standard login form (auth.php) and from appearances, many other 
places. It appears the writer of the script is unaware of SQL injection 
vulnerability, or relies solely on magic_quote_gpc (a php option which allows 
automatic slashing to all ? and ? in GET/POST/COOKIE data).

The Vulnerability

Land Down Under lacks basic security for checking user inputted data. It makes 
no attempt to apply slashes to any of the incomming data, and therefore the 
attacker can simply ?inject? some extra SQL to the original query.

Here is where the actual vulnerable code exists (comments added by me):
############### START HERE ############### 
// More code above
if ($a=="check")
        {
        ldu_shield_protect();

        $rusername = cv('rusername','P','TXT');
        $rpassword = cv('rpassword','P','TXT');
        $rmdpass  = md5($rpassword);
    $query="SELECT user_id, user_active, user_banned, user_banexpire, 
user_level, user_skin, user_lang FROM $db_users WHERE user_password='$rmdpass' 
AND user_name='$rusername'";

        $sql = ldu_mysql_query($query);
// Continues to validate.
################ END HERE ################ 


The Exploit

Using the form simply put in "' OR 1=1 -- " (without quotes). For a specific 
user, simply type "' OR user_name='USERNAME' -- " (without quotes)

The Fix

Wait vendor respounce. Basic solution would be to addslashes to the incoming 
data, or turn on magic_quotes.gpc via php ini. Most likely there are more 
possible exploits, further auditing definetly needs to occur. Some may not need 
? either, allowing SQL injection even if magic_quotes_gpc is on.

Credit/Conclusion

Sorry for the badly formatted and poorly written document. Written as quick as 
the vulneribility was found, which wasn't long.  The package contains some nice 
features, and its skins are pleasant to the eye, but lacks the basic and vital 
security to enable it to be accessible via the public.

This vulnerability was discovered by HelloWorld 
email:
gdayworld 
hotmail 
com

Good Luck
HelloWorld.

Prev by Date: Re: [Fwd: Security Alert; possible buffer overflow in all Mathopd versions]
Next by Date: Patchmanagement.org announcement
Previous by thread: Re: [Fwd: Security Alert; possible buffer overflow in all Mathopd versions]
Next by thread: Patchmanagement.org announcement
Index(es):
- Date
- Thread