Snitz Forums 2000 < 3.4.03 register.asp Email Parameter SQL Injection

2004-08-04T00:00:00
ID SNITZ_FORUMS_2000_SQL_INJECTION.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote host is using Snitz Forum 2000.

This version allows an attacker to execute stored procedures and non-interactive operating system commands on the system.

The problem stems from the fact that the 'Email' variable in the register.asp module fails to properly validate and strip out malicious SQL data.

An attacker, exploiting this flaw, would need network access to the web server. A successful attack would allow the remote attacker the ability to potentially execute arbitrary system commands through common SQL stored procedures such as xp_cmdshell.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(14227);
 script_version("1.27");

 script_cve_id("CVE-2003-0286");
 script_bugtraq_id(7549);

 script_name(english:"Snitz Forums 2000 < 3.4.03 register.asp Email Parameter SQL Injection");

 script_set_attribute(attribute:"synopsis", value:
"The discussion forum running on the remote web server has a SQL
injection vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is using Snitz Forum 2000.

This version allows an attacker to execute stored procedures 
and non-interactive operating system commands on the system. 

The problem stems from the fact that the 'Email' variable
in the register.asp module fails to properly validate and
strip out malicious SQL data.  

An attacker, exploiting this flaw, would need network access
to the web server.  A successful attack would allow the 
remote attacker the ability to potentially execute arbitrary
system commands through common SQL stored procedures such 
as xp_cmdshell." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/vulnwatch/2003/q2/69");
 script_set_attribute(attribute:"solution", value:
"Upgrade to Snitz Forum 2000 version 3.4.03 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(89);

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/04");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/12");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Determine Snitz forums version");
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 
 script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("www/ASP");
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if ( ! can_host_asp(port:port) ) 
	exit(0);

url = "/forum/register.asp";
buf = http_send_recv3(method:"GET", item:url, port:port);
if( isnull(buf) ) exit(0);

# Ex: Powered By: Snitz Forums 2000 Version 3.4.03

#if("Powered By: Snitz Forums 2000 3.3.03" >< buf[2] )
# jwl: per CVE, all version prior to 3.3.03 are vulnerable
if (egrep(string:buf[2], pattern:"Powered By: Snitz Forums 2000 ([0-2]\..*|3\.[0-2]\..*|3\.3\.0[0-2])"))
{
	security_hole(port);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    	exit(0);
}