|
|
Family: CGI abuses --> Category: attack
Land Down Under <= 800 Multiple Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for SQL injection in LDU's index.php
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that permits SQL injection
and cross-site scripting attacks.
Description :
The remote version of Land Down Under is prone to various SQL
injection and cross-site scripting attacks provided PHP's
'magic_quotes' setting is disabled due to its failure to sanitize the
request URI before using it in 'system/functions.php' in the function
'ldu_log()'. A malicious user may be able to exploit this issue to
manipulate SQL queries, steal authentication cookies, and the like.
In addition, it also fails to properly sanitize the user-supplied
signature in forum posts.. A malicious user can exploit this
vulnerability to steal authentication cookies and manipulate the HTML
format in 'forums.php'.
See also :
http://www.securityfocus.org/archive/1/408664
http://www.neocrome.net/forums.php?m=posts&p=83412#83412
http://archives.neohapsis.com/archives/bugtraq/2005-08/0395.html
Solution :
Upgrade to Land Down Under version 801 or later.
Threat Level:
Medium / CVSS Base Score : 4
(AV:R/AC:H/Au:NR/C:P/A:N/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
