Vulnerabilities > CVE-2005-1224 - SQL Injection vulnerability in Duware Duportal 3.4/Pro3.4/Sql3.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple SQL injection vulnerabilities in DUware DUportal Pro 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) nChannel parameter to default.asp, cat.asp, or detail.asp, (2) the iChannel parameter to search.asp, default.asp, result.asp, cat.asp, or detail.asp (3) the iCat parameter to cat.asp or detail.asp, (4) the iData parameter to detail.asp or result.asp, the (5) POL_ID, (6) POL_PARENT, (7) POL_CATEGORY, (8) CHA_NAME, or (9) CHA_ID parameters to inc_vote.asp, or the (10) tfm_order or (11) tfm_orderby parameters to toppages.asp, a different set of vulnerabilities than CVE-2005-1236.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
description DUportal Pro 3.4 inc_vote.asp Multiple Parameter SQL Injection. CVE-2005-1224. Webapps exploit for asp platform id EDB-ID:25478 last seen 2016-02-03 modified 2005-04-20 published 2005-04-20 reporter Dcrab source https://www.exploit-db.com/download/25478/ title DUportal Pro 3.4 inc_vote.asp Multiple Parameter SQL Injection description DUportal Pro 3.4 result.asp Multiple Parameter SQL Injection. CVE-2005-1224. Webapps exploit for asp platform id EDB-ID:25479 last seen 2016-02-03 modified 2005-04-20 published 2005-04-20 reporter Dcrab source https://www.exploit-db.com/download/25479/ title DUportal Pro 3.4 result.asp Multiple Parameter SQL Injection description DUportal Pro 3.4 search.asp iChannel Parameter SQL Injection. CVE-2005-1224. Webapps exploit for asp platform id EDB-ID:25477 last seen 2016-02-03 modified 2005-04-20 published 2005-04-20 reporter Dcrab source https://www.exploit-db.com/download/25477/ title DUportal Pro 3.4 - search.asp iChannel Parameter SQL Injection description DUportal Pro 3.4 default.asp Multiple Parameter SQL Injection. CVE-2005-1224 . Webapps exploit for asp platform id EDB-ID:25476 last seen 2016-02-03 modified 2005-04-20 published 2005-04-20 reporter Dcrab source https://www.exploit-db.com/download/25476/ title DUportal Pro 3.4 default.asp Multiple Parameter SQL Injection description DUportal Pro 3.4 cat.asp Multiple Parameter SQL Injection. CVE-2005-1224. Webapps exploit for asp platform id EDB-ID:25480 last seen 2016-02-03 modified 2005-04-20 published 2005-04-20 reporter Dcrab source https://www.exploit-db.com/download/25480/ title DUportal Pro 3.4 cat.asp Multiple Parameter SQL Injection description DUportal Pro 3.4 detail.asp Multiple Parameter SQL Injection. CVE-2005-1224 . Webapps exploit for asp platform id EDB-ID:25481 last seen 2016-02-03 modified 2005-04-20 published 2005-04-20 reporter Dcrab source https://www.exploit-db.com/download/25481/ title DUportal Pro 3.4 detail.asp Multiple Parameter SQL Injection
Nessus
| NASL family | CGI abuses |
| NASL id | DUPORTAL_SQL_INJECTION.NASL |
| description | The remote host is running DUPortal, a content management system written in ASP. The remote version of this software is vulnerable to several SQL injection vulnerabilities in files |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 18120 |
| published | 2005-04-22 |
| reporter | This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/18120 |
| title | DUPortal/DUPortal Pro Multiple Scripts SQL Injection (1) |
References
- http://marc.info/?l=bugtraq&m=111401172901705&w=2
- http://secunia.com/advisories/15031
- http://www.digitalparadox.org/advisories/duppro.txt
- http://www.securiteam.com/windowsntfocus/5TP0O0AFFQ.html
- http://www.securityfocus.com/archive/1/453316/100/0/threaded
- http://www.securityfocus.com/bid/13285
- https://exchange.xforce.ibmcloud.com/vulnerabilities/20197
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30671