LDU 801 SQL Injection Vulnerabilities



    ----------------------------------------------------------------------------------
    - GroundZero Security Research and Software Development 2005                     - 
    ----------------------------------------------------------------------------------
    -                                                                                -
    -  Security Advisory regarding LDU Version 801.                                  -
    -  Multiple SQL Injection Vulnerabilities.                                       -
    -  Released: Tue Sep 13 06:16:32 CEST 2005                                       -
    -                                                                                -
    ----------------------------------------------------------------------------------



    ----------------------------------------------------------------------------------
    - Affected:                                                                      -
    ----------------------------------------------------------------------------------

    LDU <= 801 (Land Down Under)
    Latest public and stable release. From 25-08-2005
    Vendor: http://www.neocrome.net


    ----------------------------------------------------------------------------------
    - Information:                                                                   -
    ----------------------------------------------------------------------------------

    Not long ago there was already an advisory about injection bugs in
    version 800 of LDU. The Vendor didnt seem to belive in those bugs as the
    website says:

    "Since yesterday there's 2 new items about LDU at http://www.securityfocus.com, 
    about 'security exploits' that may affect LDU build 800. None of the tricks 
    written there are working, the variables are properly sanitized and no LDU 
    version is affected. This morning I notified the moderators of the site."

    Actually this is pretty funny, as we could verify the bugs on version 800 already.
    So it is not really surprising to see the current version vulnerable aswell.

    The Vendor doesnt seem to realize how critical SQL injection can be.
    A lost database is never fun for a Admin.

    Bellow are a few Examples on how to reproduce the bugs.


    ----------------------------------------------------------------------------------
    - Simple PoC:                                                                    -
    ----------------------------------------------------------------------------------

    /auth.php?m=all'%20;%20AND%20THIS=VULN
    /auth.php?m='%20;%20AND%20THIS=VULN
    /events.php?f='%20;AND%20THIS=VULN-TOO
    /plug.php?e=topitems';AND%20THIS=LAME
    ....

    Exploit wont be disclosed and is not needed.
    A Browser is enough to exploit this vulnerability.


    ----------------------------------------------------------------------------------
    - Solution:                                                                      -
    ----------------------------------------------------------------------------------

    Since there is no vendor fix available, all you can do is either change the code
    yourself (there are lots of attack vectors), or disable the software till a official
    patch or update has been released.




    ----------------------------------------------------------------------------------
    - Bug (re) discovered by GroundZero Security Research and Software Development   -
    - http://www.GroundZero-Security.com | Http://www.g-0.org                        -
    ----------------------------------------------------------------------------------