VID |
21798 |
Severity |
30 |
Port |
80, ... |
Protocol |
TCP |
Class |
CGI |
Detailed Description |
The Land Down Under (LDU) is vulnerable to multiple vulnerabilities which exist in versions prior to 802. Land Down Under is a web site Content Management System (CMS) written in PHP. Land Down Under version 801 and earlier versions are vulnerable to multiple input validation vulnerabilities, which can be exploited by remote attackers to conduct cross-site scripting and SQL injection attacks.
1) Multiple SQL Injection Vulnerabilities: Input passed to the multiple parameters of the 'index.php' script, 'list.php' script and 'event.php' script is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Multiple Cross-Site Scripting Vulnerabilities: Input passed to the 'c' and 'm' parameters of the 'index.php' script and the 'w' parameter of the 'journal.php' is not properly sanitized before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.
* References: http://securityfocus.com/archive/1/409511 http://www.packetstormsecurity.org/0509-advisories/LDU801.txt http://www.securitytracker.com/alerts/2005/Aug/1014747.html http://secunia.com/advisories/16710
* Platforms Affected: Neocrome Services, Land Down Under version 801 and earlier versions Any operating system Any version |
Recommendation |
Upgrade to the latest version of Land Down Under (802 or later), available from the Land Down Under Web site at http://www.neocrome.net |
Related URL |
CVE-2005-2788,CVE-2005-2884 (CVE) |
Related URL |
14685,14746,14820 (SecurityFocus) |
Related URL |
22195,21952,22047 (ISS) |
|