Vulnerabilities > CVE-2004-1552 - SQL Injection vulnerability in Full Revolution Aspwebcalendar 4.5

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
full-revolution
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2017-10-11

Summary

SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp.

Vulnerable Configurations

Part Description Count
Application
Full_Revolution
1

Exploit-Db

  • descriptionWeb Calendar System 3.12/3.30 Multiple Remote Vulnerabilities. CVE-2004-1552. Webapps exploit for php platform
    idEDB-ID:7242
    last seen2016-02-01
    modified2008-11-27
    published2008-11-27
    reporterBl@ckbe@rD
    sourcehttps://www.exploit-db.com/download/7242/
    titleweb calendar system 3.12/3.30 - Multiple Vulnerabilities
  • descriptionaspWebCalendar 4.5 (calendar.asp eventid) SQL Injection Vulnerability. CVE-2004-1552. Webapps exploit for asp platform
    fileexploits/asp/webapps/3546.txt
    idEDB-ID:3546
    last seen2016-01-31
    modified2007-03-22
    platformasp
    port
    published2007-03-22
    reporterparad0x
    sourcehttps://www.exploit-db.com/download/3546/
    titleaspWebCalendar 4.5 calendar.asp eventid SQL Injection Vulnerability
    typewebapps

Nessus

NASL familyCGI abuses
NASL idASPWEBCALENDAR_SQL.NASL
descriptionThe remote host appears to be running aspWebCalendar, an ASP script designed to faciliate the integration of multiple calendars in a web- based application. There is a flaw in the remote software that could allow anyone to inject arbitrary SQL commands, which may in turn be used to gain administrative access on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id14816
published2004-09-24
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14816
titleaspWebCalendar calendar.asp SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(14816);
 script_version("1.20");
 script_cve_id("CVE-2004-1552");
 script_bugtraq_id(11246);

 script_name(english: "aspWebCalendar calendar.asp SQL Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to a SQL injection attack." );
 script_set_attribute(attribute:"description", value:
"The remote host appears to be running aspWebCalendar, an ASP script
designed to faciliate the integration of multiple calendars in a web-
based application.

There is a flaw in the remote software that could allow anyone
to inject arbitrary SQL commands, which may in turn be used to
gain administrative access on the remote host." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to the latest version of this software." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/24");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/09/23");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:full_revolution:aspwebcalendar");
script_end_attributes();

 script_summary(english: "SQL Injection");
 script_category(ACT_GATHER_INFO);
 script_copyright(english: "This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english: "CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/ASP");
 exit(0);
}

# Check starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


function check(port, req)
{
  local_var	r, ldata;
  ldata = "txtUserName=%27&txtPassword=&LoginButton=Login";
  r = http_send_recv3(port: port, method: 'POST', version: 11, item: req,
add_headers: make_array("Content-Type", "application/x-www-form-urlencoded"),
	     data: ldata);
  if (isnull(r)) exit(0);

  if("error '80040e14'" >< r[2] && 
     "'Cal_User_UserName = ''''" >< r[2])
  	{
	security_warning(port);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
	exit(0);
	}
  return(0);
}

port = get_http_port(default:80);

if (! get_port_state(port)) exit(0);
if ( ! can_host_asp(port:port) ) exit(0);


foreach dir (cgi_dirs()) 
 {
  if (is_cgi_installed3(item:dir + "/calendar.asp", port:port))
   check(port: port, req:dir + "/calendar.asp?action=processlogin");
 }

References