Lucene search
This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.SITEATSCHOOL_ALBUM_NAME_SQL_INJECTION.NASLHistoryJan 04, 2008 - 12:00 a.m.
Site@School slideshow_full.php album_name Parameter SQL Injection
2008-01-0400:00:00
This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.
www.tenable.com
13
The remote host is running Site@School, an open source, PHP-based, content management system intended for primary schools.
The version of this software installed on the remote host fails to sanitize user-supplied input to the ‘album_name’ parameter of the ‘starnet/addons/slideshow_full.php’ script before using it in a database query. Provided PHP’s ‘magic_quotes_gpc’ setting is disabled, an attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information, modification of data, or attacks against the underlying database.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(29835);
script_version("1.19");
script_cve_id("CVE-2008-0129");
script_bugtraq_id(27120);
script_xref(name:"EDB-ID", value:"4832");
script_name(english:"Site@School slideshow_full.php album_name Parameter SQL Injection");
script_summary(english:"Tries to generate a SQL syntax error");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to a SQL
injection attack." );
script_set_attribute(attribute:"description", value:
"The remote host is running Site@School, an open source, PHP-based,
content management system intended for primary schools.
The version of this software installed on the remote host fails to
sanitize user-supplied input to the 'album_name' parameter of the
'starnet/addons/slideshow_full.php' script before using it in a
database query. Provided PHP's 'magic_quotes_gpc' setting is
disabled, an attacker may be able to exploit this issue to manipulate
database queries, leading to disclosure of sensitive information,
modification of data, or attacks against the underlying database." );
script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(89);
script_set_attribute(attribute:"plugin_publication_date", value: "2008/01/04");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:siteatschool:siteatschool");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/PHP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Loop through directories.
foreach dir (cgi_dirs())
{
# Try to exploit the issue.
magic = rand();
exploit = string("'", magic);
w = http_send_recv3(method:"GET",
item:string(
dir, "/starnet/addons/slideshow_full.php?",
"album_name=", urlencode(str:exploit)
),
port:port
);
if (isnull(w)) exit(1, "The web server did not answer");
res = w[2];
# There's a problem if we see our exploit in the query.
if (string(exploit, "'' at line 1SELECT id, description, children ") >< res)
{
security_warning(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| siteatschool | siteatschool | cpe:/a:siteatschool:siteatschool |
Related for SITEATSCHOOL_ALBUM_NAME_SQL_INJECTION.NASL