Vulnerabilities > CVE-2004-2201 - Unspecified vulnerability in Duware Duforum 3.0/3.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
duware
nessus
exploit available

Summary

SQL injection vulnerability in DUware DUforum 3.0 through 3.1 allows remote attackers to execute arbitrary SQL commands via the FOR_ID parameter in messages.asp, (2) MSG_ID parameter in messageDetail.asp, or (3) password parameter in the login form.

Vulnerable Configurations

Part Description Count
Application
Duware
2

Exploit-Db

  • descriptionDUforum 3.x Login Form Password Parameter SQL Injection. CVE-2004-2201. Webapps exploit for asp platform
    idEDB-ID:24673
    last seen2016-02-02
    modified2004-10-11
    published2004-10-11
    reporterSoroosh Dalili
    sourcehttps://www.exploit-db.com/download/24673/
    titleDUforum 3.x Login Form Password Parameter SQL Injection
  • descriptionDUforum 3.x messageDetail.asp MSG_ID Parameter SQL Injection. CVE-2004-2201. Webapps exploit for asp platform
    idEDB-ID:24675
    last seen2016-02-02
    modified2004-10-11
    published2004-10-11
    reporterSoroosh Dalili
    sourcehttps://www.exploit-db.com/download/24675/
    titleDUforum 3.x messageDetail.asp MSG_ID Parameter SQL Injection
  • descriptionDUforum 3.x messages.asp FOR_ID Parameter SQL Injection. CVE-2004-2201. Webapps exploit for asp platform
    idEDB-ID:24674
    last seen2016-02-02
    modified2004-10-11
    published2004-10-11
    reporterSoroosh Dalili
    sourcehttps://www.exploit-db.com/download/24674/
    titleDUforum 3.x messages.asp FOR_ID Parameter SQL Injection

Nessus

NASL familyCGI abuses
NASL idDUWARE_MULTIPLE_FLAWS.NASL
descriptionThe remote host is running a product published by DUware - either DUclassmate, DUclassified or DUforum. There is a flaw in the remote version of this software that could allow an attacker to execute arbitrary SQL statements on the remote host by supplying malformed values to the arguments of /admin/, messages.asp or messagesDetails.asp. In addition, DUclassified contains a cross-site scripting vulnerability in Message Text handling. DUclassmate contains an unauthorized password manipulation issue in account.asp.
last seen2020-06-01
modified2020-06-02
plugin id15453
published2004-10-11
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15453
titleDUware Products Multiple Remote Vulnerabilities (SQLi, XSS)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(15453);
 script_cve_id("CVE-2004-2198", "CVE-2004-2199", "CVE-2004-2200", "CVE-2004-2201", "CVE-2004-2202");
 script_bugtraq_id(11363);
 script_version ("1.17");

 script_name(english:"DUware Products Multiple Remote Vulnerabilities (SQLi, XSS)");
 script_set_attribute(attribute:"synopsis", value:
"The remote service is vulnerable to several flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a product published by DUware - either
DUclassmate, DUclassified or DUforum.

There is a flaw in the remote version of this software that could allow
an attacker to execute arbitrary SQL statements on the remote host by
supplying malformed values to the arguments of /admin/, messages.asp or
messagesDetails.asp.

In addition, DUclassified contains a cross-site scripting vulnerability
in Message Text handling. DUclassmate contains an unauthorized password 
manipulation issue in account.asp." );
 script_set_attribute(attribute:"solution", value:
"Upgrade the newest version of this software." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/10/11");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/10/11");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Determines if the remote ASP scripts are vulnerable to SQL injection"); 
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/ASP");
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!can_host_asp(port:port))exit(0);

urls = make_list("/index.asp?user='", "messageDetail.asp?MSG_ID='");
foreach d (cgi_dirs())
{
 foreach url (urls) 
 {
 r = http_send_recv3(method: "GET", item: d + url, port:port);
 if ( isnull(r) ) exit(0);
 if ("Microsoft OLE DB Provider for ODBC Drivers error '80040e14'" >< r[2] )
  {
  security_hole(port);
  set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
  exit(0);
  }
 }
}