Vulnerabilities > CVE-2005-1250 - Unspecified vulnerability in Ipswitch Whatsup Professional2005Sp1

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ipswitch
nessus
exploit available

Summary

SQL injection vulnerability in the logon screen of the web front end (NmConsole/Login.asp) for IpSwitch WhatsUp Professional 2005 SP1 allows remote attackers to execute arbitrary SQL commands via the (1) User Name field (sUserName parameter) or (2) Password (sPassword parameter).

Vulnerable Configurations

Part Description Count
Application
Ipswitch
1

Exploit-Db

descriptionIpswitch WhatsUp Professional 2005 SP1 LOGIN.ASP SQL Injection Vulnerability. CVE-2005-1250. Webapps exploit for asp platform
idEDB-ID:25874
last seen2016-02-03
modified2005-06-22
published2005-06-22
reporteranonymous
sourcehttps://www.exploit-db.com/download/25874/
titleIpswitch WhatsUp Professional 2005 SP1 LOGIN.ASP SQL Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idIPSWITCH_WHATSUP_LOGIN_SQL_INJECTION.NASL
descriptionThe remote host is running Ipswitch WhatsUp Professional, a network management and monitoring package. The web front-end for WhatsUp Professional on the remote host is prone to a SQL injection attack because it fails to sanitize the
last seen2020-06-01
modified2020-06-02
plugin id18552
published2005-06-23
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18552
titleIpswitch WhatsUp Professional Login.asp Multiple Field SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(18552);
  script_version("1.17");
  script_cvs_date("Date: 2018/06/13 18:56:27");

  script_cve_id("CVE-2005-1250");
  script_bugtraq_id(14039);

  script_name(english:"Ipswitch WhatsUp Professional Login.asp Multiple Field SQL Injection");
  script_summary(english:"Checks for SQL injection vulnerability in Ipswitch WhatsUp Professional's Login.asp");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP script that is vulnerable to a
SQL injection attack.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Ipswitch WhatsUp Professional, a network
management and monitoring package. 

The web front-end for WhatsUp Professional on the remote host is prone
to a SQL injection attack because it fails to sanitize the 'sUserName'
and 'sPassword' parameters in the 'Login.asp' script.  An attacker may
be able to exploit this flaw to gain unauthenticated administrative
access to the affected application. 

Note that the web front-end is not installed as part of a default
configuration.");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?775cfb0d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Ipswitch WhatsUp Pro 2005 SP1a or disable its web
front-end.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/23");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/22");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:ipswitch:whatsup");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);


# If the banner indicates it's for Ipswitch...
banner = get_http_banner(port:port);
if (banner && "Server: Ipswitch" >< banner) {
  # Try to exploit the flaw.
  postdata = string(
    "sUsername=", SCRIPT_NAME, "'&",
    "sPassword=nessus&",
    "btnLogin=Log+In&",
    "bIsJavaScriptDisabled=true"
  );
  w = http_send_recv3(method: "POST", port:port,
    item: "/NmConsole/Login.asp",
    content_type: "application/x-www-form-urlencoded",
    data: postdata );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # There's a problem if we see a syntax error.
  if (string("quotation mark before the character string '", SCRIPT_NAME, "''") >< res) {
    security_warning(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}