Lucene search
This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.DUFORUM_SQL_INJECTIONS.NASLHistoryJun 28, 2005 - 12:00 a.m.
DUforum Multiple Scripts SQL Injection
2005-06-2800:00:00
This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.
www.tenable.com
29
The remote host is running DUforum, a web-based message board written in ASP from DUware.
The installed version of DUforum fails to properly sanitize user- supplied input in several instances before using it in SQL queries. By exploiting these flaws, an attacker can affect database queries, possibly disclosing sensitive data and launching attacks against the underlying database.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description) {
script_id(18567);
script_version("1.16");
script_cve_id("CVE-2005-2048");
script_bugtraq_id(14035);
script_name(english:"DUforum Multiple Scripts SQL Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP application that is vulnerable
to multiple SQL injection attacks." );
script_set_attribute(attribute:"description", value:
"The remote host is running DUforum, a web-based message board written
in ASP from DUware.
The installed version of DUforum fails to properly sanitize user-
supplied input in several instances before using it in SQL queries.
By exploiting these flaws, an attacker can affect database queries,
possibly disclosing sensitive data and launching attacks against the
underlying database." );
script_set_attribute(attribute:"see_also", value:"http://echo.or.id/adv/adv19-theday-2005.txt" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jun/175" );
script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/28");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/06/22");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
summary["english"] = "Checks for multiple SQL injection vulnerabilities in DUforum";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/ASP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_asp(port:port)) exit(0);
# Loop through CGI directories.
foreach dir (cgi_dirs()) {
# Try to exploit one of the flaws.
u = string(
dir, "/forums.asp?",
"iFor=", SCRIPT_NAME, "'"
);
r = http_send_recv3(port:port, method: "GET", item: u);
if (isnull(r)) exit(0);
# There's a problem if...
if (
# it looks like DUforum and...
'href="assets/DUforum.css" rel="stylesheet"' >< r[2] &&
# there's a syntax error.
string("Syntax error in string in query expression 'FOR_ID = ", SCRIPT_NAME, "'") >< r[2]
) {
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
Related for DUFORUM_SQL_INJECTIONS.NASL