Vulnerabilities > CVE-2004-2200 - Remote vulnerability in DUware Software

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
duware
nessus
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

Cross-site scripting (XSS) vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to inject arbitrary web script or HTML via via the message text.

Vulnerable Configurations

Part Description Count
Application
Duware
2

Nessus

NASL familyCGI abuses
NASL idDUWARE_MULTIPLE_FLAWS.NASL
descriptionThe remote host is running a product published by DUware - either DUclassmate, DUclassified or DUforum. There is a flaw in the remote version of this software that could allow an attacker to execute arbitrary SQL statements on the remote host by supplying malformed values to the arguments of /admin/, messages.asp or messagesDetails.asp. In addition, DUclassified contains a cross-site scripting vulnerability in Message Text handling. DUclassmate contains an unauthorized password manipulation issue in account.asp.
last seen2020-06-01
modified2020-06-02
plugin id15453
published2004-10-11
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15453
titleDUware Products Multiple Remote Vulnerabilities (SQLi, XSS)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(15453);
 script_cve_id("CVE-2004-2198", "CVE-2004-2199", "CVE-2004-2200", "CVE-2004-2201", "CVE-2004-2202");
 script_bugtraq_id(11363);
 script_version ("1.17");

 script_name(english:"DUware Products Multiple Remote Vulnerabilities (SQLi, XSS)");
 script_set_attribute(attribute:"synopsis", value:
"The remote service is vulnerable to several flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a product published by DUware - either
DUclassmate, DUclassified or DUforum.

There is a flaw in the remote version of this software that could allow
an attacker to execute arbitrary SQL statements on the remote host by
supplying malformed values to the arguments of /admin/, messages.asp or
messagesDetails.asp.

In addition, DUclassified contains a cross-site scripting vulnerability
in Message Text handling. DUclassmate contains an unauthorized password 
manipulation issue in account.asp." );
 script_set_attribute(attribute:"solution", value:
"Upgrade the newest version of this software." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/10/11");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/10/11");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Determines if the remote ASP scripts are vulnerable to SQL injection"); 
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/ASP");
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!can_host_asp(port:port))exit(0);

urls = make_list("/index.asp?user='", "messageDetail.asp?MSG_ID='");
foreach d (cgi_dirs())
{
 foreach url (urls) 
 {
 r = http_send_recv3(method: "GET", item: d + url, port:port);
 if ( isnull(r) ) exit(0);
 if ("Microsoft OLE DB Provider for ODBC Drivers error '80040e14'" >< r[2] )
  {
  security_hole(port);
  set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
  exit(0);
  }
 }
}

References