[UNIX] Land Down Under auth.php SQL Injection

• Previous message: SecuriTeam: "[REVS] Hack-proofing DB2 Presentation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 9 Dec 2003 10:44:14 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Land Down Under auth.php SQL Injection
------------------------------------------------------------------------

SUMMARY

"What is <http://ldu.neocrome.net/page.php?id=1217> Land Down Under?,
some calls this a CMS (Content Management System), other a "Portal", or a
"Website engine". It's a dumb machine, made of PHP files that stores and
querying data in a MySQL database, and sends those data to clients as HTML
pages, with the help of skin files (a.k.a. "templates")".

One of the product's PHP script can be exploited to gain unauthorized
access. This is due to the fact the PHP script contains an SQL injection
vulnerability.

DETAILS

Vulnerable systems:
 * Land Down Under version 601

Land Down Under lacks basic security checking for user provided data, i.e.
product does not make any attempt to apply slashes to any of the incoming
data. Therefore an attacker can simply inject extra SQL statements to the
original query.

Vulnerable code:
Here is where the actual vulnerable code exists (comments added by
gdayworld):
// More code above
if ($a=="check")
  {
  ldu_shield_protect();

  $rusername = cv('rusername','P','TXT');
  $rpassword = cv('rpassword','P','TXT');
  $rmdpass = md5($rpassword);
    $query="SELECT user_id, user_active, user_banned, user_banexpire,
user_level, user_skin, user_lang FROM $db_users WHERE
user_password='$rmdpass' AND user_name='$rusername'";

  $sql = ldu_mysql_query($query);
// Continues to validate.

Exploit:
Using the form simply put in the fields "' OR 1=1 -- " (without the
quotes). For a specific user, simply type "' OR user_name='USERNAME' -- "
(without quotes)

ADDITIONAL INFORMATION

The information has been provided by <mailto:gdayworld@hotmail.com>
gdayworld.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] Hack-proofing DB2 Presentation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]