7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.0%
The remote host is running DevTrack, a defect and project tracking tool.
The DevTrack Web Services component installed on the remote host contains an ASP script that fails to sanitize user-supplied input to the ‘UserName’ parameter before using it in a database query. An unauthenticated, remote attacker may be able to leverage this flaw to manipulate SQL queries and uncover sensitive information, modify data, or even launch attacks against the underlying database.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(24322);
script_version("1.20");
script_cve_id("CVE-2007-0853");
script_bugtraq_id(22460);
script_name(english:"DevTrack Web Service UserName Field SQL Injection");
script_summary(english:"Tries to generate a SQL error using DevTrack Web Service");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP application that is affected by
a SQL injection vulnerability." );
script_set_attribute(attribute:"description", value:
"The remote host is running DevTrack, a defect and project tracking
tool.
The DevTrack Web Services component installed on the remote host
contains an ASP script that fails to sanitize user-supplied input to
the 'UserName' parameter before using it in a database query. An
unauthenticated, remote attacker may be able to leverage this flaw to
manipulate SQL queries and uncover sensitive information, modify data,
or even launch attacks against the underlying database." );
script_set_attribute(attribute:"solution", value:
"The vendor is rumoured to be incorporating a fix into DevTrack version
6.2." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/09");
script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/08");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:techexcel_inc.:devtrack");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/ASP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
port = get_http_port(default:80, embedded: 0);
if (!can_host_asp(port:port)) exit(0);
# Loop through various directories.
#
# nb: the app uses "/TXWebService" by default so make sure we do too.
dirs = list_uniq(make_list("/TXWebService", cgi_dirs()));
foreach dir (dirs)
{
# Try to generate a SQL error.
exploit = string("'nessus", unixtime());
r = http_send_recv3(method: "GET", port: port, item:string(
dir, "/DataService.asmx/AuthUser?",
"UserName=", urlencode(str:exploit), "&",
# nb: leave it empty to return data.
"Password=nasl&",
"NeedCompress=0"
));
if (isnull(r)) exit(0);
# There's a problem if we see a SQL error.
if (
"ReturnMessage>Database Error" >< r[2] &&
string("Incorrect syntax near ", exploit, "'") >< r[2]
)
{
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
Vendor | Product | Version | CPE |
---|---|---|---|
techexcel_inc. | devtrack | cpe:/a:techexcel_inc.:devtrack |