Vulnerabilities > CVE-2005-0368 - SQL Injection vulnerability in CMScore

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
chipmunk-scripts
nessus
exploit available
NVD
Published: 2005-05-02
Updated: 2017-07-11

Summary

Multiple SQL injection vulnerabilities in CMScore allow remote attackers to execute arbitrary SQL commands via the (1) EntryID or (2) searchterm parameter to index.php, or (3) username parameter to authenticate.php.

Vulnerable Configurations

Part Description Count
Application
Chipmunk_Scripts
1

Exploit-Db

descriptionCMScore SQL Injection Exploit. CVE-2005-0368. Webapps exploit for php platform
idEDB-ID:808
last seen2016-01-31
modified2005-02-10
published2005-02-10
reporterGHC
sourcehttps://www.exploit-db.com/download/808/
titleCMScore SQL Injection Exploit

Nessus

NASL familyCGI abuses
NASL idCHIPMONK_CMSCORE_SQL.NASL
descriptionThe remote host is running Chipmunk CMScore, a web-based software written in PHP. The remote version of this software is affected by several SQL injection vulnerabilities that may allow an attacker to execute arbitrary SQL statements using the remote SQL database.
last seen2020-06-01
modified2020-06-02
plugin id16320
published2005-02-08
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/16320
titleChipmunk CMScore Multiple Script SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(16320);
 script_cve_id("CVE-2005-0368");
 script_bugtraq_id(12457);
 
 script_version ("1.21");
 script_name(english:"Chipmunk CMScore Multiple Script SQL Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple SQL injection vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Chipmunk CMScore, a web-based software
written in PHP. 

The remote version of this software is affected by several SQL
injection vulnerabilities that may allow an attacker to execute
arbitrary SQL statements using the remote SQL database." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Feb/87" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/05");
 script_cvs_date("Date: 2018/11/15 20:50:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Checks if Chipmunk CMScore is vulnerable to a SQL injection attack");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl", "cross_site_scripting.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

# The script code starts here

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!get_port_state(port)) exit(0);
if(!can_host_php(port:port)) exit(0);

foreach dir ( cgi_dirs() )
{
 if ( is_cgi_installed3(item:dir + "/index.php", port:port) )
 {
   r = http_send_recv3( port: port, method: 'POST', item: dir + "/index.php", 
 data: "searchterm='&submit=submit",
 add_headers: make_array("Content-Type", "application/x-www-form-urlencoded") );

   if (isnull(r)) exit(0);
   if ("<table border='0' width='90%'><tr><td valign='top' width='75%' align='center'><br><br>dies" >< r[2] )
   {
     security_hole(port);
     set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
     exit(0);
   }
  }
}

References