[UNIX] Land Down Under auth.php SQL Injection

From: SecuriTeam (support_at_securiteam.com)
Date: 12/09/03

  • Next message: SecuriTeam: "[NEWS] Dell BIOS DoS (Invalid Characters in BIOS Password)" 
    To: list@securiteam.com
Date: 9 Dec 2003 10:44:14 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Land Down Under auth.php SQL Injection
    ------------------------------------------------------------------------

    SUMMARY

    "What is <http://ldu.neocrome.net/page.php?id=1217> Land Down Under?,
    some calls this a CMS (Content Management System), other a "Portal", or a
    "Website engine". It's a dumb machine, made of PHP files that stores and
    querying data in a MySQL database, and sends those data to clients as HTML
    pages, with the help of skin files (a.k.a. "templates")".

    One of the product's PHP script can be exploited to gain unauthorized
    access. This is due to the fact the PHP script contains an SQL injection
    vulnerability.

    DETAILS

    Vulnerable systems:
     * Land Down Under version 601

    Land Down Under lacks basic security checking for user provided data, i.e.
    product does not make any attempt to apply slashes to any of the incoming
    data. Therefore an attacker can simply inject extra SQL statements to the
    original query.

    Vulnerable code:
    Here is where the actual vulnerable code exists (comments added by
    gdayworld):
    // More code above
    if ($a=="check")
      {
      ldu_shield_protect();

      $rusername = cv('rusername','P','TXT');
      $rpassword = cv('rpassword','P','TXT');
      $rmdpass = md5($rpassword);
        $query="SELECT user_id, user_active, user_banned, user_banexpire,
    user_level, user_skin, user_lang FROM $db_users WHERE
    user_password='$rmdpass' AND user_name='$rusername'";

      $sql = ldu_mysql_query($query);
    // Continues to validate.

    Exploit:
    Using the form simply put in the fields "' OR 1=1 -- " (without the
    quotes). For a specific user, simply type "' OR user_name='USERNAME' -- "
    (without quotes)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:gdayworld@hotmail.com>
    gdayworld.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Dell BIOS DoS (Invalid Characters in BIOS Password)"

    Relevant Pages