Vulnerabilities > CVE-2004-1555 - SQL Injection vulnerability in BroadBoard Message Board

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

broadboard-instant

nessus

exploit available

NVD

Published: 2004-12-31

Updated: 2017-07-11

Summary

Multiple SQL injection vulnerabilities in BroadBoard Instant ASP Message Board allow remote attackers to run arbitrary SQL commands via the (1) keywords parameter to search.asp, (2) handle parameter to profile.asp, (3) txtUserHandle parameter to reg2.asp or (4) txtUserEmail parameter to forgot.asp.

Vulnerable Configurations

Part	Description	Count
Application	Broadboard_Instant Broadboard Instant ASP Message Board *	1

Exploit-Db

description	FreezingCold Broadboard search.asp SQL Injection. CVE-2004-1555. Webapps exploit for asp platform
id	EDB-ID:24625
last seen	2016-02-02
modified	2004-09-27
published	2004-09-27
reporter	pigrelax
source	https://www.exploit-db.com/download/24625/
title	FreezingCold Broadboard search.asp SQL Injection

description	FreezingCold Broadboard profile.asp SQL Injection. CVE-2004-1555. Webapps exploit for asp platform
id	EDB-ID:24626
last seen	2016-02-02
modified	2004-09-27
published	2004-09-27
reporter	pigrelax
source	https://www.exploit-db.com/download/24626/
title	FreezingCold Broadboard profile.asp SQL Injection

Nessus

NASL family	CGI abuses
NASL id	BROADBOARD_SQL_INJECTION.NASL
description	The remote host appears to be running BroadBoard, an ASP script designed to manage a web-based bulletin-board system. There is a flaw in the remote software that could allow a remote attacker to inject arbitrary SQL commands, which could in turn be used to gain administrative access on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	14828
published	2004-09-27
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14828
title	BroadBoard Multiple Script SQL Injection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(14828); script_cve_id("CVE-2004-1555"); script_bugtraq_id(11250); script_version("1.23"); script_xref(name:"Secunia", value:"12658"); script_name(english:"BroadBoard Multiple Script SQL Injection"); script_summary(english:"SQL Injection"); script_set_attribute(attribute:"synopsis", value: "The remote web server is hosting an application written in ASP with multiple SQL injection vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running BroadBoard, an ASP script designed to manage a web-based bulletin-board system. There is a flaw in the remote software that could allow a remote attacker to inject arbitrary SQL commands, which could in turn be used to gain administrative access on the remote host." ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Sep/971" ); script_set_attribute( attribute:"solution", value:"Upgrade to the latest version of BroadBoard." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/27"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/09/26"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencie("find_service1.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("www/ASP"); exit(0); } # Check starts here include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (! can_host_asp(port:port)) exit(0); function check(dir) { local_var buf, r; r = http_send_recv3(method:"GET", item:dir + "/profile.asp?handle=foo'", port:port); if (isnull(r)) exit(0); buf = strcat(r[0], r[1], '\r\n', r[2]); if("error '80040e14'" >< buf && "'tblUsers.UserHandle='foo'''" >< buf ) { security_hole(port); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } return(0); } foreach dir (cgi_dirs()) { check(dir:dir); }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References