Vulnerabilities > CVE-2004-2201 - Unspecified vulnerability in Duware Duforum 3.0/3.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
SQL injection vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to execute arbitrary SQL commands via the FOR_ID parameter in messages.asp, (2) MSG_ID parameter in messageDetail.asp, or (3) password parameter in the login form.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Exploit-Db
description DUforum 3.x Login Form Password Parameter SQL Injection. CVE-2004-2201. Webapps exploit for asp platform id EDB-ID:24673 last seen 2016-02-02 modified 2004-10-11 published 2004-10-11 reporter Soroosh Dalili source https://www.exploit-db.com/download/24673/ title DUforum 3.x Login Form Password Parameter SQL Injection description DUforum 3.x messageDetail.asp MSG_ID Parameter SQL Injection. CVE-2004-2201. Webapps exploit for asp platform id EDB-ID:24675 last seen 2016-02-02 modified 2004-10-11 published 2004-10-11 reporter Soroosh Dalili source https://www.exploit-db.com/download/24675/ title DUforum 3.x messageDetail.asp MSG_ID Parameter SQL Injection description DUforum 3.x messages.asp FOR_ID Parameter SQL Injection. CVE-2004-2201. Webapps exploit for asp platform id EDB-ID:24674 last seen 2016-02-02 modified 2004-10-11 published 2004-10-11 reporter Soroosh Dalili source https://www.exploit-db.com/download/24674/ title DUforum 3.x messages.asp FOR_ID Parameter SQL Injection
Nessus
NASL family | CGI abuses |
NASL id | DUWARE_MULTIPLE_FLAWS.NASL |
description | The remote host is running a product published by DUware - either DUclassmate, DUclassified or DUforum. There is a flaw in the remote version of this software that could allow an attacker to execute arbitrary SQL statements on the remote host by supplying malformed values to the arguments of /admin/, messages.asp or messagesDetails.asp. In addition, DUclassified contains a cross-site scripting vulnerability in Message Text handling. DUclassmate contains an unauthorized password manipulation issue in account.asp. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 15453 |
published | 2004-10-11 |
reporter | This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/15453 |
title | DUware Products Multiple Remote Vulnerabilities (SQLi, XSS) |
code |
|
References
- http://www.osvdb.org/10664
- http://www.osvdb.org/10664
- http://www.osvdb.org/10665
- http://www.osvdb.org/10665
- http://www.osvdb.org/10666
- http://www.osvdb.org/10666
- http://www.securityfocus.com/bid/11363
- http://www.securityfocus.com/bid/11363
- http://www.securitytracker.com/alerts/2004/Oct/1011595.html
- http://www.securitytracker.com/alerts/2004/Oct/1011595.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17680
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17680