Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Forum/Board/Portal)  >   Land Down Under Vendors:
Land Down Under (LDU) SQL Injection Hole Lets Remote Users Access User Accounts
SecurityTracker Alert ID:  1008416
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 9 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 601; possibly other versions
Description:   An input validation vulnerability was reported in the 'Land Down Under' (LDU) forum software. A remote user can inject SQL commands to gain access to user accounts.

It is reported that the 'auth.php' script, and possibly other scripts, do not properly validate user-supplied input. A remote user can inject SQL commands to authenticate to the system without having to supply a password.

The vendor has reportedly been notified.

Impact:   A remote user can inject SQL commands to be executed by the underlying database. A remote user can gain authenticated access to the system without supplying a password.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Land Down Under 601

  Application :- Land Down Under

Versions Affect: LDU 601 (other versions not checked)
Risk Factor - Undertimend
Impact - In the least, the attacker could gain access to a users account (unless logged in)
Type of Exploit - SQL Injection (auth.php)
Vendor Status: Vendor Notified
Date: 08 December, 2003
Credit: HelloWorld
Tested on a localhost, magic_quotes_goc off. Php 4.0.1

1) Introduction
2) The vulnerability
3) The exploit
4) The fix
5) Credit/Conclusion

1) Introduction

This php script is easily exploited. It comes in a form of an SQL injection, through the standard login form (auth.php) and from appearances,
 many other places. It appears the writer of the script is unaware of SQL injection vulnerability, or relies solely on magic_quote_gpc
 (a php option which allows automatic slashing to all ‘ and “ in GET/POST/COOKIE data).

The Vulnerability

Land Down Under lacks basic security for checking user inputted data. It makes no attempt to apply slashes to any of the incomming
 data, and therefore the attacker can simply ‘inject’ some extra SQL to the original query.

Here is where the actual vulnerable code exists (comments added by me):
############### START HERE ############### 
// More code above
if ($a=="check")

	$rusername = cv('rusername','P','TXT');
	$rpassword = cv('rpassword','P','TXT');
	$rmdpass  = md5($rpassword);
    $query="SELECT user_id, user_active, user_banned, user_banexpire, user_level, user_skin, user_lang FROM $db_users WHERE user_password='$rmdpass'
 AND user_name='$rusername'";

	$sql = ldu_mysql_query($query);
// Continues to validate.
################ END HERE ################ 

The Exploit

Using the form simply put in "' OR 1=1 -- " (without quotes). For a specific user, simply type "' OR user_name='USERNAME' -- " (without

The Fix

Wait vendor respounce. Basic solution would be to addslashes to the incoming data, or turn on magic_quotes.gpc via php ini. Most likely
 there are more possible exploits, further auditing definetly needs to occur. Some may not need ‘ either, allowing SQL injection even
 if magic_quotes_gpc is on.


Sorry for the badly formatted and poorly written document. Written as quick as the vulneribility was found, which wasn't long.  The
 package contains some nice features, and its skins are pleasant to the eye, but lacks the basic and vital security to enable it to
 be accessible via the public.

This vulnerability was discovered by HelloWorld 

Good Luck


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC