Vulnerabilities > CVE-2004-0036 - SQL Injection vulnerability in Jelsoft Vbulletin 2.3.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
jelsoft
nessus
NVD
Published: 2004-01-20
Updated: 2017-10-10

Summary

SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter.

Vulnerable Configurations

Part Description Count
Application
Jelsoft
1

Nessus

NASL familyCGI abuses
NASL idVBULLETIN_CALENDER_SQL_INJECTION.NASL
descriptionA vulnerability has been discovered in the
last seen2020-06-01
modified2020-06-02
plugin id11981
published2004-01-06
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11981
titlevBulletin calendar.php eventid Parameter SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#

# Ref:
# From:   [email protected]
# Subject: vBulletin Forum 2.3.xx calendar.php SQL Injection
# Date: January 5, 2004 9:32:15 PM CET
# To:   [email protected]
#

include("compat.inc");

if(description)
{
  script_id(11981);
  script_version("1.21");
  script_cve_id("CVE-2004-0036");
  script_bugtraq_id(9360);

  script_name(english:"vBulletin calendar.php eventid Parameter SQL Injection");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that suffers from a SQL
injection flaw." );
 script_set_attribute(attribute:"description", value:
"A vulnerability has been discovered in the 'calendar.php' script that
allows unauthorized users to inject SQL commands through the 'eventid'
parameter.  An attacker may use this flaw to gain the control of the
remote database." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Jan/31" );
 script_set_attribute(attribute:"see_also", value:"https://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/93720-vbulletin-2-3-4-released?postid=588825#post93720" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to vBulletin 2.3.4 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/01/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/01/05");
 script_cvs_date("Date: 2018/11/15 20:50:19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:vbulletin:vbulletin");
script_end_attributes();


  script_summary(english:"Detect vBulletin Calendar SQL Injection");
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
  script_family(english:"CGI abuses");
  script_dependencies("vbulletin_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/vBulletin");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port))exit(0);

# Test an install.
install = get_kb_item(string("www/", port, "/vBulletin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
 path = matches[2];
 r = http_send_recv3(method:"GET",item:string(path, "/calendar.php?s=&action=edit&eventid=1'"), port:port);
 if (isnull(r)) exit(0);
 res = r[2];

 if ( "SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 1'" >< res )
 {
   security_hole(port);
   set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
 }
}

References