Vulnerability Assessment & Network Security Forums
Vulnerability Assessment Details
Checks for SQL injection in LDU's index.php
Detailed Explanation for this Vulnerability Assessment
The remote web server contains a PHP script that permits SQL injection
and cross-site scripting attacks.
The remote version of Land Down Under is prone to various SQL
injection and cross-site scripting attacks provided PHP's
'magic_quotes' setting is disabled due to its failure to sanitize the
request URI before using it in 'system/functions.php' in the function
'ldu_log()'. A malicious user may be able to exploit this issue to
manipulate SQL queries, steal authentication cookies, and the like.
In addition, it also fails to properly sanitize the user-supplied
signature in forum posts.. A malicious user can exploit this
vulnerability to steal authentication cookies and manipulate the HTML
format in 'forums.php'.
See also :
Upgrade to Land Down Under version 801 or later.
Network Security Threat Level:
Medium / CVSS Base Score : 4
Networks Security ID: 14618, 14619, 14677
Vulnerability Assessment Copyright: Copyright (C) 2005 Josh Zlatin-Amishav
|Dell R730 Dual E5-2660 v3 10C 2.6GHz 512GB 4x 480GB SSD H730 iDRAC 2.5in Rails
|HP Renew DL360 G9 Single E5-2620 v3 6C 2.4GHz 128GB 8x 450GB SAS P440ar Rails
|Dell R720xd OEM Dual E5-2660 8C 2.2GHz 384GB 12x 1TB SAS 12 Bay 3.5in Rails RPS
|Dell R710 Dual L5520 QC 2.26GHz 192GB 2x 300GB 6G, 6x 600GB 6G H700 iDRAC Rails
No Discussions have been posted on this vulnerability.