CyberBuild - browse0.htm ProductIndex Parameter SQL Injection

{"bulletinFamily": "exploit", "id": "EDB-ID:27814", "cvelist": ["CVE-2006-2179"], "modified": "2006-05-03T00:00:00", "lastseen": "2016-02-03T06:47:54", "edition": 1, "sourceData": "source: http://www.securityfocus.com/bid/17829/info\r\n \r\nCyberBuild is prone to multiple input-validation vulnerabilities. The issues include cross-site scripting and SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. \r\n \r\nA successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.\r\n\r\nhttp://www.example.com/browse0.htm?ProductIndex=[SQL]", "published": "2006-05-03T00:00:00", "href": "https://www.exploit-db.com/exploits/27814/", "osvdbidlist": ["25196"], "reporter": "r0t", "hash": "e95970b7361fbb512dab29bfef8f66c67b13f1fb7b7b6eff1b9422aa26ee4b19", "title": "CyberBuild - browse0.htm ProductIndex Parameter SQL Injection", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "CyberBuild 0 browse0.htm ProductIndex Parameter SQL Injection. CVE-2006-2179. Webapps exploit for asp platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27814/", "enchantments": {"vulnersScore": 3.7}}

{"result": {"cve": [{"id": "CVE-2006-2179", "type": "cve", "title": "CVE-2006-2179", "description": "Multiple SQL injection vulnerabilities in CyberBuild allow remote attackers to execute arbitrary SQL commands via the (1) SessionID parameter to login.asp or (2) ProductIndex parameter to browse0.htm.", "published": "2006-05-04T08:38:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2179", "cvelist": ["CVE-2006-2179"], "lastseen": "2016-09-03T06:53:15"}], "osvdb": [{"id": "OSVDB:25196", "type": "osvdb", "title": "CyberBuild browse0.htm ProductIndex Variable SQL Injection", "description": "## Vulnerability Description\nCyberBuild contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'browse0.htm' script not properly sanitizing user-supplied input to the 'ProductIndex' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nCyberBuild contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'browse0.htm' script not properly sanitizing user-supplied input to the 'ProductIndex' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\n/browse0.htm?ProductIndex=[SQL]\n## References:\nVendor URL: http://www.smartwin.com.au/cyberbuild.htm\n[Secunia Advisory ID:19889](https://secuniaresearch.flexerasoftware.com/advisories/19889/)\n[Related OSVDB ID: 25197](https://vulners.com/osvdb/OSVDB:25197)\n[Related OSVDB ID: 25198](https://vulners.com/osvdb/OSVDB:25198)\n[Related OSVDB ID: 25199](https://vulners.com/osvdb/OSVDB:25199)\n[Related OSVDB ID: 25195](https://vulners.com/osvdb/OSVDB:25195)\nOther Advisory URL: http://pridels.blogspot.com/2006/05/cyberbuild-vuln.html\nISS X-Force ID: 26201\nFrSIRT Advisory: ADV-2006-1630\n[CVE-2006-2179](https://vulners.com/cve/CVE-2006-2179)\nBugtraq ID: 17829\n", "published": "2006-05-01T05:02:36", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:25196", "cvelist": ["CVE-2006-2179"], "lastseen": "2017-04-28T13:20:21"}, {"id": "OSVDB:25195", "type": "osvdb", "title": "CyberBuild login.asp SessionID Variable SQL Injection", "description": "## Vulnerability Description\nCyberBuild contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'login.asp' script not properly sanitizing user-supplied input to the 'SessionID' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nCyberBuild contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'login.asp' script not properly sanitizing user-supplied input to the 'SessionID' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\n/login.asp?SessionID=[SQL]\n## References:\nVendor URL: http://www.smartwin.com.au/cyberbuild.htm\n[Secunia Advisory ID:19889](https://secuniaresearch.flexerasoftware.com/advisories/19889/)\n[Related OSVDB ID: 25196](https://vulners.com/osvdb/OSVDB:25196)\n[Related OSVDB ID: 25197](https://vulners.com/osvdb/OSVDB:25197)\n[Related OSVDB ID: 25198](https://vulners.com/osvdb/OSVDB:25198)\n[Related OSVDB ID: 25199](https://vulners.com/osvdb/OSVDB:25199)\nOther Advisory URL: http://pridels.blogspot.com/2006/05/cyberbuild-vuln.html\nISS X-Force ID: 26201\nFrSIRT Advisory: ADV-2006-1630\n[CVE-2006-2179](https://vulners.com/cve/CVE-2006-2179)\nBugtraq ID: 17829\n", "published": "2006-05-01T05:02:36", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:25195", "cvelist": ["CVE-2006-2179"], "lastseen": "2017-04-28T13:20:21"}], "seebug": [{"id": "SSV-81406", "type": "seebug", "title": "CyberBuild 0 browse0.htm ProductIndex Parameter SQL Injection", "description": "Summary: \nCyberBuild there are multiple SQL injection vulnerabilities. A remote attacker can(1)login. asp SessionID parameter or(2)of the browse0. htm ProductIndex parameter to execute arbitrary SQL commands.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-81406", "cvelist": ["CVE-2006-2179"], "lastseen": "2016-07-31T01:40:56"}, {"id": "SSV-81405", "type": "seebug", "title": "CyberBuild 0 login. asp SessionID Parameter SQL Injection", "description": "Summary: \nCyberBuild there are multiple SQL injection vulnerabilities. A remote attacker can(1)login. asp SessionID parameter or(2)of the browse0. htm ProductIndex parameter to execute arbitrary SQL commands.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-81405", "cvelist": ["CVE-2006-2179"], "lastseen": "2016-07-31T01:09:37"}], "exploitdb": [{"id": "EDB-ID:27813", "type": "exploitdb", "title": "CyberBuild - login.asp SessionID Parameter SQL Injection", "description": "CyberBuild 0 login.asp SessionID Parameter SQL Injection. CVE-2006-2179. Webapps exploit for asp platform", "published": "2006-05-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/27813/", "cvelist": ["CVE-2006-2179"], "lastseen": "2016-02-03T06:47:44"}]}}