Vulnerabilities > CVE-2004-2202 - Unspecified vulnerability in Duware Duclassified 4.0/4.1/4.2

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
duware
nessus
exploit available

Summary

Multiple SQL injection vulnerabilities in DUware DUclassified 4.0 through 4.2 allows remote attackers to bypass authentication and execute other commands on the server's underlying database via the (1) cat_id or (2) sub_id parameters in adDetail.asp, or (2) the password parameter in the login form.

Vulnerable Configurations

Part Description Count
Application
Duware
3

Exploit-Db

descriptionDUclassified 4.x adDetail.asp Multiple Parameter SQL Injection. CVE-2004-2202. Webapps exploit for asp platform
idEDB-ID:24671
last seen2016-02-02
modified2004-10-11
published2004-10-11
reporterSoroosh Dalili
sourcehttps://www.exploit-db.com/download/24671/
titleDUclassified 4.x adDetail.asp Multiple Parameter SQL Injection

Nessus

NASL familyCGI abuses
NASL idDUWARE_MULTIPLE_FLAWS.NASL
descriptionThe remote host is running a product published by DUware - either DUclassmate, DUclassified or DUforum. There is a flaw in the remote version of this software that could allow an attacker to execute arbitrary SQL statements on the remote host by supplying malformed values to the arguments of /admin/, messages.asp or messagesDetails.asp. In addition, DUclassified contains a cross-site scripting vulnerability in Message Text handling. DUclassmate contains an unauthorized password manipulation issue in account.asp.
last seen2020-06-01
modified2020-06-02
plugin id15453
published2004-10-11
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15453
titleDUware Products Multiple Remote Vulnerabilities (SQLi, XSS)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(15453);
 script_cve_id("CVE-2004-2198", "CVE-2004-2199", "CVE-2004-2200", "CVE-2004-2201", "CVE-2004-2202");
 script_bugtraq_id(11363);
 script_version ("1.17");

 script_name(english:"DUware Products Multiple Remote Vulnerabilities (SQLi, XSS)");
 script_set_attribute(attribute:"synopsis", value:
"The remote service is vulnerable to several flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a product published by DUware - either
DUclassmate, DUclassified or DUforum.

There is a flaw in the remote version of this software that could allow
an attacker to execute arbitrary SQL statements on the remote host by
supplying malformed values to the arguments of /admin/, messages.asp or
messagesDetails.asp.

In addition, DUclassified contains a cross-site scripting vulnerability
in Message Text handling. DUclassmate contains an unauthorized password 
manipulation issue in account.asp." );
 script_set_attribute(attribute:"solution", value:
"Upgrade the newest version of this software." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/10/11");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/10/11");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Determines if the remote ASP scripts are vulnerable to SQL injection"); 
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/ASP");
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!can_host_asp(port:port))exit(0);

urls = make_list("/index.asp?user='", "messageDetail.asp?MSG_ID='");
foreach d (cgi_dirs())
{
 foreach url (urls) 
 {
 r = http_send_recv3(method: "GET", item: d + url, port:port);
 if ( isnull(r) ) exit(0);
 if ("Microsoft OLE DB Provider for ODBC Drivers error '80040e14'" >< r[2] )
  {
  security_hole(port);
  set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
  exit(0);
  }
 }
}