Korean
<< Back
VID 21798
Severity 30
Port 80, ...
Protocol TCP
Class CGI
Detailed Description The Land Down Under (LDU) is vulnerable to multiple vulnerabilities which exist in versions prior to 802. Land Down Under is a web site Content Management System (CMS) written in PHP. Land Down Under version 801 and earlier versions are vulnerable to multiple input validation vulnerabilities, which can be exploited by remote attackers to conduct cross-site scripting and SQL injection attacks.

1) Multiple SQL Injection Vulnerabilities: Input passed to the multiple parameters of the 'index.php' script, 'list.php' script and 'event.php' script is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Multiple Cross-Site Scripting Vulnerabilities: Input passed to the 'c' and 'm' parameters of the
'index.php' script and the 'w' parameter of the 'journal.php' is not properly sanitized before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.

* References:
http://securityfocus.com/archive/1/409511
http://www.packetstormsecurity.org/0509-advisories/LDU801.txt
http://www.securitytracker.com/alerts/2005/Aug/1014747.html
http://secunia.com/advisories/16710

* Platforms Affected:
Neocrome Services, Land Down Under version 801 and earlier versions
Any operating system Any version
Recommendation Upgrade to the latest version of Land Down Under (802 or later), available from the Land Down Under Web site at http://www.neocrome.net
Related URL CVE-2005-2788,CVE-2005-2884 (CVE)
Related URL 14685,14746,14820 (SecurityFocus)
Related URL 22195,21952,22047 (ISS)