Vulnerabilities > CVE-2004-1622 - SQL Injection vulnerability in Ubbcentral Ubb.Threads 3.4/3.5

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ubbcentral
nessus
exploit available
NVD
Published: 2004-10-21
Updated: 2017-07-11

Summary

SQL injection vulnerability in dosearch.php in UBB.threads 3.4.x allows remote attackers to execute arbitrary SQL statements via the Name parameter.

Vulnerable Configurations

Part Description Count
Application
Ubbcentral
2

Exploit-Db

descriptionUBBCentral UBB.threads 3.4/3.5 Dosearch.PHP SQL Injection Vulnerability. CVE-2004-1622. Webapps exploit for php platform
idEDB-ID:24698
last seen2016-02-02
modified2004-10-21
published2004-10-21
reporterFlorian Rock
sourcehttps://www.exploit-db.com/download/24698/
titleUBBCentral UBB.threads 3.4/3.5 - DoSearch.PHP SQL Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idUBBTHREADS_SQL_INJECTION.NASL
descriptionThere is a SQL injection issue in the remote version of UBB.threads that may allow an attacker to execute arbitrary SQL statements on the remote host and potentially overwrite arbitrary files there by sending a malformed value to the
last seen2020-06-01
modified2020-06-02
plugin id15561
published2004-10-25
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15561
titleUBB.threads dosearch.php SQL injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(15561);
 script_version("1.16");
 script_cvs_date("Date: 2018/08/01 17:36:12");

 script_cve_id("CVE-2004-1622");
 script_bugtraq_id(11502);

 script_name(english:"UBB.threads dosearch.php SQL injection");
 script_summary(english:"SQL Injection in UBB.threads");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to SQL
injection attacks." );
 script_set_attribute(attribute:"description", value:
"There is a SQL injection issue in the remote version of UBB.threads
that may allow an attacker to execute arbitrary SQL statements on the
remote host and potentially overwrite arbitrary files there by sending
a malformed value to the 'Name' argument of the file 'dosearch.php'." );
 script_set_attribute(attribute:"see_also", value:"http://marc.info/?l=bugtraq&m=109839925207038&w=2" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/10/25");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/10/21");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencies("ubbthreads_detect.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);
 script_require_keys("www/ubbthreads");
 exit(0);
}

# Check starts here

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, php:TRUE);


# Test an install.
install = get_kb_item(string("www/", port, "/ubbthreads"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
 dir = matches[2];
 r = http_send_recv3(method:"GET", port:port, item: dir + "/dosearch.php?Name=42'", exit_on_fail:TRUE);
 res = r[2];
 if ( "mysql_fetch_array()" >< res )
 {
   security_hole(port);
   set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
 }
}

References