Lucene search

K

GoSmart message board multiple flaws

🗓️ 03 Nov 2005 00:00:00Reported by This script is Copyright (C) 2004 David MaciejakType 
openvas
 openvas
🔗 plugins.openvas.org👁 17 Views

The GoSmart message board software written in ASP is vulnerable to multiple flaws, including failure to sanitize user input, cross-site scripting, and SQL injection

Show more
Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
GoSmart Message Board Multiple Vulnerabilities (SQLi, XSS)
11 Oct 200400:00
nessus
OpenVAS
GoSmart Multiple Vulnerabilities
3 Nov 200500:00
openvas
Cvelist
CVE-2004-1588
20 Feb 200505:00
cvelist
Cvelist
CVE-2004-1589
20 Feb 200505:00
cvelist
CVE
CVE-2004-1588
20 Feb 200505:00
cve
CVE
CVE-2004-1589
20 Feb 200505:00
cve
NVD
CVE-2004-1588
31 Dec 200405:00
nvd
NVD
CVE-2004-1589
31 Dec 200405:00
nvd
# OpenVAS Vulnerability Test
# $Id: gosmart_message_board.nasl 5786 2017-03-30 10:08:58Z cfi $
# Description: GoSmart message board multiple flaws
#
# Authors:
# David Maciejak <david dot maciejak at kyxar dot fr>
# based on work from (C) Tenable Network Security
#
# Copyright:
# Copyright (C) 2004 David Maciejak
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "The remote host is running GoSmart message board, a bulletin board 
manager written in ASP.


The remote version of this software contains multiple flaws, due o
to a failure of the application to properly sanitize user-supplied input.

It is also affected by a cross-site scripting vulnerability. 
As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed 
in the browser of an unsuspecting user when followed. 

Furthermore, this version is vulnerable to SQL injection flaws that
let an attacker inject arbitrary SQL commands.";

tag_solution = "Upgrade to the newest version of this software";

#  Ref: Alexander Antipov <antipov SecurityLab ru> - MAxpatrol Security

if(description)
{
 script_id(15451);
 script_version("$Revision: 5786 $");
 script_tag(name:"last_modification", value:"$Date: 2017-03-30 12:08:58 +0200 (Thu, 30 Mar 2017) $");
 script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
 script_cve_id("CVE-2004-1588", "CVE-2004-1589");
 script_bugtraq_id(11361);
 script_tag(name:"cvss_base", value:"7.5");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_name("GoSmart message board multiple flaws");
 script_category(ACT_ATTACK);
 script_tag(name:"qod_type", value:"remote_vul");
 script_copyright("This script is Copyright (C) 2004 David Maciejak");
 script_family("Web application abuses");
 script_dependencies("find_service.nasl", "http_version.nasl", "cross_site_scripting.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if ( ! can_host_asp(port:port) ) exit(0);
if ( get_kb_item("www/" + port + "/generic_xss") ) exit(0);

foreach dir( make_list_unique( "/messageboard", cgi_dirs( port:port ) ) ) {

  if( dir == "/" ) dir = "";
  req = string(dir, "/Forum.asp?QuestionNumber=1&Find=1&Category=%22%3E%3Cscript%3Efoo%3C%2Fscript%3E%3C%22");
  req = http_get(item:req, port:port);
  r = http_keepalive_send_recv(port:port, data:req);
  if( r == NULL ) continue;

  if (r =~ "HTTP/1\.. 200" && egrep(pattern:"<script>foo</script>", string:r)) {
    security_message(port);
    exit(0);
  }
}

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo