Vulnerabilities > CVE-2003-0492 - Cross-Site Scripting vulnerability in Snitz Communications Snitz Forums 2000 3.4.03

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
snitz-communications
nessus
exploit available
NVD
Published: 2003-08-07
Updated: 2017-07-11

Summary

Cross-site scripting (XSS) vulnerability in search.asp for Snitz Forums 3.4.03 and earlier allows remote attackers to execute arbitrary web script via the Search parameter.

Vulnerable Configurations

Part Description Count
Application
Snitz_Communications
1

Exploit-Db

  • descriptionSnitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities. Webapps exploit for Multiple platform
    idEDB-ID:43445
    last seen2018-01-24
    modified2003-06-16
    published2003-06-16
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/43445/
    titleSnitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities
  • descriptionSnitz Forums 2000 3.4 .03 Search.ASP Cross-Site Scripting Vulnerability. CVE-2003-0492. Webapps exploit for asp platform
    idEDB-ID:22778
    last seen2016-02-02
    modified2003-06-16
    published2003-06-16
    reporterJeiAr
    sourcehttps://www.exploit-db.com/download/22778/
    titleSnitz Forums 2000 3.4.03 - Search.ASP Cross-Site Scripting Vulnerability

Nessus

NASL familyCGI abuses
NASL idSNITZ_FORUMS_2000_XSS.NASL
descriptionThe remote host is using Snitz Forum 2000. This set of CGI is vulnerable to a cross-site-scripting issue that may allow attackers to steal the cookies of your users. In addition to this flaw, a user may use the file Password.ASP to reset arbitrary passwords, therefore gaining administrative access on this web system.
last seen2020-06-01
modified2020-06-02
plugin id11597
published2003-05-07
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11597
titleSnitz Forums 2000 3.4.03 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if (description)
{
  script_id(11597);
  script_version ("1.28");

  script_cve_id("CVE-2003-0492", "CVE-2003-0494");
  script_bugtraq_id(7381, 7922, 7925);

  script_name(english:"Snitz Forums 2000 3.4.03 Multiple Vulnerabilities");
  script_summary(english:"Determine if Snitz forums is vulnerable to xss attack");

  script_set_attribute(
    attribute:'synopsis',
    value:'The remote web application is vulnerable to injection attacks.'
  );

  script_set_attribute(
    attribute:'description',
    value:'The remote host is using Snitz Forum 2000.

This set of CGI is vulnerable to a cross-site-scripting issue
that may allow attackers to steal the cookies of your
users.

In addition to this flaw, a user may use the file Password.ASP to
reset arbitrary passwords, therefore gaining administrative access
on this web system.'
  );

  script_set_attribute(
    attribute:'solution',
    value:'The vendor has released a patch. http://forum.snitz.com/'
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(
    attribute:'see_also',
    value:'https://seclists.org/bugtraq/2003/Jun/127'
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/07");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/06/16");
 script_cvs_date("Date: 2018/11/15 20:50:18");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
  script_dependencie("http_version.nasl", "no404.nasl", "cross_site_scripting.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/ASP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if ( ! can_host_asp(port:port) ) exit(0);
if(get_kb_item(string("www/", port, "/generic_xss"))) exit(0);

dir = list_uniq("/forum", cgi_dirs());

foreach d (dir)
{
 url = string(d, '/search.asp');
 r = http_send_recv3(method: "GET", item:url, port:port);
 if (isnull(r)) exit(0);

 # Ex: Powered By: Snitz Forums 2000 Version 3.4.03
 if ("Powered By: Snitz Forums 2000" >< r[2])
   {
    security_warning(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
   }
}

References