Land Down Under <= 800 Multiple Vulnerabilities Network Vulnerability

Summary

The remote web server contains a PHP script that permits SQL injection and cross-site scripting attacks. Description : The remote version of Land Down Under is prone to various SQL injection and cross-site scripting attacks provided PHP's 'magic_quotes' setting is disabled due to its failure to sanitize the request URI before using it in 'system/functions.php' in the function 'ldu_log()'. A malicious user may be able to exploit this issue to manipulate SQL queries, steal authentication cookies, and the like. In addition, it also fails to properly sanitize the user-supplied signature in forum posts.. A malicious user can exploit this vulnerability to steal authentication cookies and manipulate the HTML format in 'forums.php'.

Solution

Upgrade to Land Down Under version 801 or later.

References

http://archives.neohapsis.com/archives/bugtraq/2005-08/0395.html
http://www.neocrome.net/forums.php?m=posts&p=83412#83412
http://www.securityfocus.org/archive/1/408664

Updated on 2015-03-25

Severity

Classification

CVE CVE-2005-2674, CVE-2005-2675, CVE-2005-2780

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe ColdFusion Information Disclosure Vulnerability
AVTECH DVR Multiple Vulnerabilities
ASP Inline Corporate Calendar SQL injection
ActivDesk Multiple Cross Site Scripting and SQL Injection Vulnerabilities
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities

Take action and discover your vulnerabilities