ID CVE-2004-1588 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:31:00
Description
SQL injection vulnerability in GoSmart Message Board allows remote attackers to execute arbitrary SQL code via the (1) QuestionNumber and Category parameters to Forum.asp or (2) Username and Password parameter to Login_Exec.asp.
{"osvdb": [{"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "description": "## Vulnerability Description\nMessage Board contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the Username and Password variables in the Login_Exec.asp module is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nMessage Board contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the Username and Password variables in the Login_Exec.asp module is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Manual Testing Notes\nhttp://[victim]/messageboard/Login_Exec.asp?Username=[SQL CODE HERE]&Password=1&Login=1 \n\nhttp://[victim]/messageboard/Login_Exec.asp?Username=1&Password=[SQL CODE HERE]&Login=1\n## References:\nVendor URL: http://www.gosmart4u.com/forum.aspx\n[Secunia Advisory ID:12790](https://secuniaresearch.flexerasoftware.com/advisories/12790/)\n[Related OSVDB ID: 10643](https://vulners.com/osvdb/OSVDB:10643)\n[Related OSVDB ID: 10641](https://vulners.com/osvdb/OSVDB:10641)\n[Related OSVDB ID: 10644](https://vulners.com/osvdb/OSVDB:10644)\nOther Advisory URL: http://www.ptsecurity.ru/advisory.asp\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0073.html\n[CVE-2004-1588](https://vulners.com/cve/CVE-2004-1588)\n", "modified": "2004-09-29T10:02:21", "published": "2004-09-29T10:02:21", "href": "https://vulners.com/osvdb/OSVDB:10642", "id": "OSVDB:10642", "type": "osvdb", "title": "GoSmart Message Board Login_Exec.asp Multiple Parameter SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:06", "bulletinFamily": "software", "description": "## Vulnerability Description\nMessage Board contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the QuestionNumber and Category variables in the Forum.asp module are not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nMessage Board contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the QuestionNumber and Category variables in the Forum.asp module are not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Manual Testing Notes\nhttp://[victim]/messageboard/Forum.asp?QuestionNumber=[SQL CODE HERE]\n\nhttp://[victim]/messageboard/Forum.asp?Category=[SQL CODE HERE]\n## References:\nVendor URL: http://www.gosmart4u.com/forum.aspx\n[Secunia Advisory ID:12790](https://secuniaresearch.flexerasoftware.com/advisories/12790/)\n[Related OSVDB ID: 10643](https://vulners.com/osvdb/OSVDB:10643)\n[Related OSVDB ID: 10642](https://vulners.com/osvdb/OSVDB:10642)\n[Related OSVDB ID: 10644](https://vulners.com/osvdb/OSVDB:10644)\nOther Advisory URL: http://www.ptsecurity.ru/advisory.asp\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0073.html\n[CVE-2004-1588](https://vulners.com/cve/CVE-2004-1588)\n", "modified": "2004-09-29T10:02:21", "published": "2004-09-29T10:02:21", "href": "https://vulners.com/osvdb/OSVDB:10641", "id": "OSVDB:10641", "type": "osvdb", "title": "GoSmart Message Board Forum.asp Multiple Parameter SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:05", "bulletinFamily": "scanner", "description": "The remote host is running GoSmart message board, a bulletin board \nmanager written in ASP.\n\n\nThe remote version of this software contains multiple flaws, due o\nto a failure of the application to properly sanitize user-supplied input.\n\nIt is also affected by a cross-site scripting vulnerability. \nAs a result of this vulnerability, it is possible for a remote attacker\nto create a malicious link containing script code that will be executed \nin the browser of an unsuspecting user when followed. \n\nFurthermore, this version is vulnerable to SQL injection flaws that\nlet an attacker inject arbitrary SQL commands.", "modified": "2017-03-30T00:00:00", "published": "2005-11-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=15451", "id": "OPENVAS:15451", "title": "GoSmart message board multiple flaws", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: gosmart_message_board.nasl 5786 2017-03-30 10:08:58Z cfi $\n# Description: GoSmart message board multiple flaws\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote host is running GoSmart message board, a bulletin board \nmanager written in ASP.\n\n\nThe remote version of this software contains multiple flaws, due o\nto a failure of the application to properly sanitize user-supplied input.\n\nIt is also affected by a cross-site scripting vulnerability. \nAs a result of this vulnerability, it is possible for a remote attacker\nto create a malicious link containing script code that will be executed \nin the browser of an unsuspecting user when followed. \n\nFurthermore, this version is vulnerable to SQL injection flaws that\nlet an attacker inject arbitrary SQL commands.\";\n\ntag_solution = \"Upgrade to the newest version of this software\";\n\n# Ref: Alexander Antipov <antipov SecurityLab ru> - MAxpatrol Security\n\nif(description)\n{\n script_id(15451);\n script_version(\"$Revision: 5786 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-30 12:08:58 +0200 (Thu, 30 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2004-1588\", \"CVE-2004-1589\");\n script_bugtraq_id(11361);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"GoSmart message board multiple flaws\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"cross_site_scripting.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nif ( ! can_host_asp(port:port) ) exit(0);\nif ( get_kb_item(\"www/\" + port + \"/generic_xss\") ) exit(0);\n\nforeach dir( make_list_unique( \"/messageboard\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n req = string(dir, \"/Forum.asp?QuestionNumber=1&Find=1&Category=%22%3E%3Cscript%3Efoo%3C%2Fscript%3E%3C%22\");\n req = http_get(item:req, port:port);\n r = http_keepalive_send_recv(port:port, data:req);\n if( r == NULL ) continue;\n\n if (r =~ \"HTTP/1\\.. 200\" && egrep(pattern:\"<script>foo</script>\", string:r)) {\n security_message(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-11-26T15:24:24", "bulletinFamily": "scanner", "description": "The remote host is running GoSmart message board, a bulletin board\nmanager written in ASP.\n\n\nThe remote version of this software contains multiple flaws, due o\nto a failure of the application to properly sanitize user-supplied input.\n\nIt is also affected by a cross-site scripting vulnerability.\nAs a result of this vulnerability, it is possible for a remote attacker\nto create a malicious link containing script code that will be executed\nin the browser of an unsuspecting user when followed.\n\nFurthermore, this version is vulnerable to SQL injection flaws that\nlet an attacker inject arbitrary SQL commands.", "modified": "2019-11-22T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231015451", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231015451", "title": "GoSmart message board multiple flaws", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# GoSmart message board multiple flaws\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n# Ref: Alexander Antipov <antipov SecurityLab ru> - MAxpatrol Security\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.15451\");\n script_version(\"2019-11-22T13:51:04+0000\");\n script_tag(name:\"last_modification\", value:\"2019-11-22 13:51:04 +0000 (Fri, 22 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2004-1588\", \"CVE-2004-1589\");\n script_bugtraq_id(11361);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"GoSmart message board multiple flaws\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"cross_site_scripting.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name:\"solution\", value:\"Upgrade to the newest version of this software\");\n script_tag(name:\"summary\", value:\"The remote host is running GoSmart message board, a bulletin board\nmanager written in ASP.\n\n\nThe remote version of this software contains multiple flaws, due o\nto a failure of the application to properly sanitize user-supplied input.\n\nIt is also affected by a cross-site scripting vulnerability.\nAs a result of this vulnerability, it is possible for a remote attacker\nto create a malicious link containing script code that will be executed\nin the browser of an unsuspecting user when followed.\n\nFurthermore, this version is vulnerable to SQL injection flaws that\nlet an attacker inject arbitrary SQL commands.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nif ( ! can_host_asp(port:port) ) exit(0);\nhost = http_host_name( dont_add_port:TRUE );\nif( http_get_has_generic_xss( port:port, host:host ) ) exit( 0 );\n\nforeach dir( make_list_unique( \"/messageboard\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n req = string(dir, \"/Forum.asp?QuestionNumber=1&Find=1&Category=%22%3E%3Cscript%3Efoo%3C%2Fscript%3E%3C%22\");\n req = http_get(item:req, port:port);\n r = http_keepalive_send_recv(port:port, data:req);\n if( isnull( r ) ) continue;\n\n if (r =~ \"^HTTP/1\\.[01] 200\" && egrep(pattern:\"<script>foo</script>\", string:r)) {\n security_message(port);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T07:50:11", "bulletinFamily": "scanner", "description": "The remote host is running GoSmart message board, a bulletin board\nmanager written in ASP.\n\nThe remote version of this software contains multiple flaws, due to a\nfailure of the application to properly sanitize user-supplied input.\n\nIt is also affected by a cross-site scripting vulnerability. As a\nresult of this vulnerability, it is possible for a remote attacker to\ncreate a malicious link containing script code that will be executed\nin the browser of an unsuspecting user when followed.\n\nFurthermore, this version is vulnerable to SQL injection flaws that\nlet an attacker inject arbitrary SQL commands.", "modified": "2019-12-02T00:00:00", "id": "GOSMART_MESSAGE_BOARD.NASL", "href": "https://www.tenable.com/plugins/nessus/15451", "published": "2004-10-11T00:00:00", "title": "GoSmart Message Board Multiple Vulnerabilities (SQLi, XSS)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15451);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2004-1588\", \"CVE-2004-1589\");\n script_bugtraq_id(11361);\n\n script_name(english:\"GoSmart Message Board Multiple Vulnerabilities (SQLi, XSS)\");\n script_summary(english:\"Checks GoSmart message board flaws\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"A remote CGI is vulnerable to several flaws.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running GoSmart message board, a bulletin board\nmanager written in ASP.\n\nThe remote version of this software contains multiple flaws, due to a\nfailure of the application to properly sanitize user-supplied input.\n\nIt is also affected by a cross-site scripting vulnerability. As a\nresult of this vulnerability, it is possible for a remote attacker to\ncreate a malicious link containing script code that will be executed\nin the browser of an unsuspecting user when followed.\n\nFurthermore, this version is vulnerable to SQL injection flaws that\nlet an attacker inject arbitrary SQL commands.\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to the newest version of this software.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/10/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:gosmart:gosmart_message_board\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"cross_site_scripting.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"Settings/ParanoidReport\", \"www/ASP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80);\n\nif (!get_port_state(port))exit(0);\nif ( ! can_host_asp(port:port) ) exit(0);\nif ( get_kb_item(\"www/\" + port + \"/generic_xss\") ) exit(0);\n\nforeach dir (cgi_dirs())\n{\n req = string(dir, \"/messageboard/Forum.asp?QuestionNumber=1&Find=1&Category=%22%3E%3Cscript%3Efoo%3C%2Fscript%3E%3C%22\");\n req = http_get(item:req, port:port);\n r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);\n if( r == NULL )exit(0);\n if (egrep(pattern:\"<script>foo</script>\", string:r))\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
