Vulnerabilities > CVE-2005-1114
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow remote attackers to execute arbitrary SQL commands via the (1) mode or (2) search parameters.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id PHPBB_PHOTO_ALBUM_XSS.NASL description The installed version of phpBB on the remote host includes a photo album module that has multiple vulnerabilities: - A SQL Injection Vulnerability An attacker can pass arbitrary SQL code through the last seen 2020-06-01 modified 2020-06-02 plugin id 18051 published 2005-04-14 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18051 title phpBB Photo Album Module <= 2.0.53 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18051); script_version("1.22"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id("CVE-2005-1114", "CVE-2005-1115"); script_bugtraq_id(13157, 13158); script_name(english:"phpBB Photo Album Module <= 2.0.53 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in phpBB Photo Album Module <= 2.0.53"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The installed version of phpBB on the remote host includes a photo album module that has multiple vulnerabilities: - A SQL Injection Vulnerability An attacker can pass arbitrary SQL code through the 'mode' parameter of the 'album_search.php' script to manipulate database queries. - Various Cross-Site Scripting Vulnerabilities The application fails to properly sanitize user input through the 'sid' parameter of the 'album_cat.php' and 'album_comment.php' scripts. An attacker can exploit these flaws to cause arbitrary HTML and script code to be run in a user's browser within the context of the affected website." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Apr/191" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/14"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpbb_group:phpbb"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("phpbb_detect.nasl", "cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpBB"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Test an install. install = get_kb_item(string("www/", port, "/phpBB")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # If safe checks are enabled... if (safe_checks()) { # Get the main page. r = http_send_recv3(method:"GET",item:string(dir, "/album.php"), port:port); if (isnull(r)) exit(0); res = r[2]; # And check the version number embedded in the page. if (egrep( string:res, # version 2.0.53 and below may be vulnerable. # sample version strings: # >Powered by Photo Album Addon 2 © 2002-2003 <a href="http://smartor.is-root.com" # >Powered by Photo Album Addon 2.0.5 © 2002-2003 <a href="http://smartor.is-root.com" # >Powered by Photo Album 2.0.51 © 2002-2003 <a href="http://smartor.is-root.com" # >Powered by Photo Album 2.0.53 © 2002-2003 <a href="http://smartor.is-root.com" pattern:'>Powered by Photo Album (Addon )?([01].*|2|2\\.0\\.([0-4].*|5[0-3]?)) © .+ <a href="http://smartor\\.is-root\\.com"', icase:TRUE) ) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); } } # Otherwise... else { # Try the SQL injection first. r = http_send_recv3(method:"GET", item:string( dir, "/album_search.php?", "search=", SCRIPT_NAME, "&", # nb: this should just generate a syntax error. If you change this, # also make sure to change the pattern below. "mode='NESSUS" ), port:port ); if (isnull(r)) exit(0); res = r[2]; # There's a problem if we see a syntax error. if (egrep(string:res, pattern:"SQL Error : .+ LIKE '%NESSUS")) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } # If that failed to pick up anything, try to exploit the XSS flaws. if (get_kb_item("www/"+port+"/generic_xss")) exit(0); # A simple alert to display "Nessus was here". xss = "<script>alert('Nessus was here');</script>"; # nb: the url-encoded version is what we need to pass in. exss = "%3Cscript%3Ealert('Nessus%20was%20here')%3B%3C%2Fscript%3E"; exploits = make_list( "/album_cat.php?cat_id=1&sid='%22%3E" + exss, "/album_comment.php?pic_id=1&sid='%22%3E" + exss ); foreach exploit (exploits) { r = http_send_recv3(method:"GET", item:string(dir, exploit), port:port); if (isnull(r)) exit(0); res = r[2]; # There's a problem if we see our XSS. if (xss >< res) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } } } }
NASL family CGI abuses : XSS NASL id PHPBB2PLUS_152.NASL description The remote host is running a version of phpBB2 Plus that suffers from multiple cross-site scripting flaws due to a general failure of the application and associated modules to sanitize user-supplied input. last seen 2020-06-01 modified 2020-06-02 plugin id 18573 published 2005-06-28 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18573 title phpBB2 Plus <= 1.52 Multiple XSS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18573); script_version("1.22"); script_cve_id( "CVE-2005-1113", "CVE-2005-1114", "CVE-2005-1115", "CVE-2005-1116" ); script_bugtraq_id( 13149, 13150, 13151, 13152, 13153 ); script_name(english:"phpBB2 Plus <= 1.52 Multiple XSS"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is vulnerable to multiple cross-site scripting attacks." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of phpBB2 Plus that suffers from multiple cross-site scripting flaws due to a general failure of the application and associated modules to sanitize user-supplied input." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Apr/191" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/28"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/13"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpbb_group:phpbb_plus"); script_end_attributes(); script_summary(english:"Checks for multiple cross-site scripting vulnerabilities in phpBB Plus <= 1.52"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"CGI abuses : XSS"); # nb: phpbb_detect.nasl should identify installs of phpBB2 Plus # since it's just a modified distribution of phpBB. script_dependencies("phpbb_detect.nasl", "cross_site_scripting.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpBB"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (get_kb_item("www/"+port+"/generic_xss")) exit(0); if (!can_host_php(port:port)) exit(0); # A simple alert to display the script name. xss = "<script>JavaScript:alert('" + SCRIPT_NAME + "');</script>"; # nb: the url-encoded version is what we need to pass in. exss = "%3Cscript%3EJavaScript:alert('" + SCRIPT_NAME + "')%3B%3C%2Fscript%3E"; # Test an install. install = get_kb_item(string("www/", port, "/phpBB")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Try to exploit one of the XSS flaws. r = http_send_recv3(method:"GET", item:string( dir, "/calendar_scheduler.php?", "d=", unixtime(), "&", "mode=&", "start=%22%3E", exss, "&", "sid=69bfdd7e0b7c9852d26077789afafa84" ), port:port ); if (isnull(r)) exit(0); res = r[2]; # There's a problem if... if ( # it looks like phpBB2 Plus and... 'Powered by <a href="http://www.phpbb2.de/" target="_phpbb">phpBB2 Plus' >< res && # we see our exploit. xss >< res ) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } }