Vulnerabilities > CVE-2005-1417 - SQL Injection vulnerability in MaxWebPortal

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
maxwebportal
nessus
exploit available

Summary

Multiple SQL injection vulnerabilities in MaxWebPortal 2.x, 1.35, and other versions allow remote attackers to execute arbitrary SQL commands via (1) article_popular.asp, (2) arguments to dl_popular.asp, (3) arguments to links_popular.asp, (4) arguments to pic_popular.asp, (5) article_rate.asp, (6) dl_rate.asp, (7) links_rate.asp, (8) pic_rates.asp, (9) article_toprated.asp, (10) dl_toprated.asp, (11) links_toprated.asp, (12) arguments to pic_toprated.asp, or (13) the TOPIC_ID or Forum_ID parameters to custom_link.asp. The vulnerabilities have been partially fixed in versions 1.3.5 and 2.0. The remaining vulnerabilities will reportedly be fixed in the upcoming 2.1 version.

Exploit-Db

  • descriptionMaxWebPortal 1.3 custom_link.asp Multiple Parameter SQL Injection. CVE-2005-1417. Webapps exploit for asp platform
    idEDB-ID:25589
    last seen2016-02-03
    modified2005-05-02
    published2005-05-02
    reporters-dalili
    sourcehttps://www.exploit-db.com/download/25589/
    titleMaxWebPortal 1.3 custom_link.asp Multiple Parameter SQL Injection
  • descriptionMaxWebPortal 1.3 dl_popular.asp SQL Injection. CVE-2005-1417. Webapps exploit for asp platform
    idEDB-ID:25585
    last seen2016-02-03
    modified2005-05-02
    published2005-05-02
    reporters-dalili
    sourcehttps://www.exploit-db.com/download/25585/
    titleMaxWebPortal 1.3 dl_popular.asp SQL Injection
  • descriptionMaxWebPortal 1.3 links_popular.asp SQL Injection. CVE-2005-1417 . Webapps exploit for asp platform
    idEDB-ID:25586
    last seen2016-02-03
    modified2005-05-02
    published2005-05-02
    reporters-dalili
    sourcehttps://www.exploit-db.com/download/25586/
    titleMaxWebPortal 1.3 links_popular.asp SQL Injection

Nessus

NASL familyCGI abuses
NASL idMAXWEBPORTAL_EVENTS_AND_LINKS_VULNS.NASL
descriptionThe remote host is running a version of MaxWebPortal that is prone to multiple input validation vulnerabilities: - Multiple SQL Injection Vulnerabilities An attacker can inject SQL statements via various scripts to manipulate database queries. - A Cross-Site Scripting Vulnerability An attacker can pass arbitrary HTML and script code via the
last seen2020-06-01
modified2020-06-02
plugin id17688
published2005-04-02
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17688
titleMaxWebPortal <= 1.33 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(17688);
  script_version("1.21");

  script_cve_id("CVE-2005-1016", "CVE-2005-1017", "CVE-2005-1417");
  script_bugtraq_id(12968, 13466);

  name["english"] = "MaxWebPortal <= 1.33 Multiple Vulnerabilities";
  script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP application that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of MaxWebPortal that is prone to
multiple input validation vulnerabilities:

  - Multiple SQL Injection Vulnerabilities
    An attacker can inject SQL statements via various scripts 
    to manipulate database queries.

  - A Cross-Site Scripting Vulnerability
    An attacker can pass arbitrary HTML and script code via
    the 'banner' parameter of the 'links_add_form.asp' script
    to be executed by a user's browser in the context of the
    affected website whenever he views the malicious link." );
 script_set_attribute(attribute:"see_also", value:"http://www.hackerscenter.com/archive/view.asp?id=1807" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(89);
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/02");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/01");
 script_cvs_date("Date: 2018/06/13 18:56:28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_summary(english:"Checks for multiple vulnerabilities in MaxWebPortal <= 1.33");
  script_category(ACT_MIXED_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencie("cross_site_scripting.nasl", "http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/ASP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_asp(port:port)) exit(0, "The web server on port "+port+" does not support ASP");


# Some variables to use when trying an exploit.
# - a url to submit.
#   nb: gettimeofday() ensures the URL is unique (otherwise,
#       MaxWebPortal will reject the submission).
new_url = string("http://www.example.com/", gettimeofday());
# - the submitter's email address.
from = get_kb_item("SMTP/headers/From");
if (!from) from = "[email protected]";
# - a simple alert to display "Nessus was here".
xss = "<script>alert('Nessus was here');</script>";
#   nb: the url-encoded version is what we need to pass in.
exss = "%3Cscript%3Ealert('Nessus%20was%20here')%3B%3C%2Fscript%3E";


# Check various directories for MaxWebPortal.
foreach dir (cgi_dirs()) {
  # Pull up the link add page.
  w = http_send_recv3(method:"GET", item:string(dir, "/links_add_form.asp"), port:port, exit_on_fail: 1);
  res = w[2];

  # If safe checks are enabled...
  if (safe_checks()) {
    # Test the version number.
    #
    # nb: a more complete version number can be found in "site_info.asp".
    if (egrep(string:res, pattern:'<title="Powered By: MaxWebPortal.info Version 1\\.([0-2]|3[0-3])', icase:TRUE)) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
  # Else try the exploit as long as the server itself isn't 
  # vulnerable to XSS attacks.
  #
  # nb: this will not catch those forums that don't accept submissions
  #     or accept them only from logged-in users.
  else if (!get_kb_item("www/"+port+"/generic_xss")) {
    # We need an existing category.
    pat = 'option value="([0-9]+)">';
    matches = egrep(pattern:pat, string:res, icase:TRUE);
    foreach match (split(matches)) {
      match = chomp(match);
      cat = eregmatch(pattern:pat, string:match, icase:TRUE);
      if (!isnull(cat)) {
        cat = cat[1];
        break;
      }
    }
    # If we don't have one, take a wild guess.
    if (isnull(cat)) cat = 2;

    postdata = string(
      "cat=", cat, "&",
      "name=Nessus+Plugin+Test&",
      "url=", new_url, "&",
      "mail=", from, "&",
      "des=Generated+automatically+by+", SCRIPT_NAME, "&",
      "key=&",
      "banner=%3E", exss, "&",
      "B1=Submit"
    );
    w = http_send_recv3(method:"POST",  port: port,
      item: dir+"/links_add_url.asp", 
      content_type: "application/x-www-form-urlencoded",
      exit_on_fail: 1, data: postdata);

    # If we see our exploit, there's a problem.
    if (xss >< res) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}