CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
89.6%
The remote host appears to be running XTreme ASP Photo Gallery.
There is a flaw in the version of this software installed on the remote host that may allow anyone to inject arbitrary SQL commands, which may in turn be used to gain administrative access on the remote host.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# Ref:
#Date: 15 Jan 2004 22:58:05 -0000
#From: <[email protected]>
#To: [email protected]
#Subject: Xtreme ASP Photo Gallery
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(12020);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2004-2746");
script_bugtraq_id(9438);
script_name(english:"XTreme ASP Photo Gallery adminlogin.asp Multiple Parameter SQL Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP script that is affected by a SQL
injection flaw.");
script_set_attribute(attribute:"description", value:
"The remote host appears to be running XTreme ASP Photo Gallery.
There is a flaw in the version of this software installed on the
remote host that may allow anyone to inject arbitrary SQL commands,
which may in turn be used to gain administrative access on the remote
host.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/350028");
script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(89);
script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/01/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_keys("www/ASP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
# Check starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
global_var port;
function check(req)
{
local_var r, buf, host, variables;
# Make sure script exists.
r = http_send_recv3(method:"GET",item:req, port:port);
if (isnull(r)) exit(0);
if ("<title>Login - XTREME ASP Photo Gallery</title>" >< r[2]) {
host = get_host_name();
variables = string("username='&password=y&Submit=Submit");
r = http_send_recv3(method: "POST", item: req, port: port,
exit_on_fail: 1,
content_type: "application/x-www-form-urlencoded", data: variables);
buf = r[2];
if("in query expression 'username=''' AND password='y'" >< buf && "80040e14" >< buf)
{
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
}
port = get_http_port(default:80, asp: 1);
if (thorough_tests) dirs = list_uniq(make_list("/photoalbum", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs) {
check(req:dir + "/admin/adminlogin.asp");
}