Vulnerabilities > CVE-2005-1417 - SQL Injection vulnerability in MaxWebPortal

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

maxwebportal

nessus

exploit available

NVD

Published: 2005-05-03

Updated: 2008-09-05

Summary

Multiple SQL injection vulnerabilities in MaxWebPortal 2.x, 1.35, and other versions allow remote attackers to execute arbitrary SQL commands via (1) article_popular.asp, (2) arguments to dl_popular.asp, (3) arguments to links_popular.asp, (4) arguments to pic_popular.asp, (5) article_rate.asp, (6) dl_rate.asp, (7) links_rate.asp, (8) pic_rates.asp, (9) article_toprated.asp, (10) dl_toprated.asp, (11) links_toprated.asp, (12) arguments to pic_toprated.asp, or (13) the TOPIC_ID or Forum_ID parameters to custom_link.asp. The vulnerabilities have been partially fixed in versions 1.3.5 and 2.0. The remaining vulnerabilities will reportedly be fixed in the upcoming 2.1 version.

Vulnerable Configurations

Part	Description	Count
Application	Maxwebportal Maxwebportal Maxwebportal 1.3.0 Maxwebportal Maxwebportal 1.3.1 Maxwebportal Maxwebportal 1.3.2 Maxwebportal Maxwebportal 1.3.3 Maxwebportal Maxwebportal 1.3.5 Maxwebportal Maxwebportal 2.0	6

Exploit-Db

description	MaxWebPortal 1.3 custom_link.asp Multiple Parameter SQL Injection. CVE-2005-1417. Webapps exploit for asp platform
id	EDB-ID:25589
last seen	2016-02-03
modified	2005-05-02
published	2005-05-02
reporter	s-dalili
source	https://www.exploit-db.com/download/25589/
title	MaxWebPortal 1.3 custom_link.asp Multiple Parameter SQL Injection

description	MaxWebPortal 1.3 dl_popular.asp SQL Injection. CVE-2005-1417. Webapps exploit for asp platform
id	EDB-ID:25585
last seen	2016-02-03
modified	2005-05-02
published	2005-05-02
reporter	s-dalili
source	https://www.exploit-db.com/download/25585/
title	MaxWebPortal 1.3 dl_popular.asp SQL Injection

description	MaxWebPortal 1.3 links_popular.asp SQL Injection. CVE-2005-1417 . Webapps exploit for asp platform
id	EDB-ID:25586
last seen	2016-02-03
modified	2005-05-02
published	2005-05-02
reporter	s-dalili
source	https://www.exploit-db.com/download/25586/
title	MaxWebPortal 1.3 links_popular.asp SQL Injection

Nessus

NASL family	CGI abuses
NASL id	MAXWEBPORTAL_EVENTS_AND_LINKS_VULNS.NASL
description	The remote host is running a version of MaxWebPortal that is prone to multiple input validation vulnerabilities: - Multiple SQL Injection Vulnerabilities An attacker can inject SQL statements via various scripts to manipulate database queries. - A Cross-Site Scripting Vulnerability An attacker can pass arbitrary HTML and script code via the
last seen	2020-06-01
modified	2020-06-02
plugin id	17688
published	2005-04-02
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/17688
title	MaxWebPortal <= 1.33 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17688); script_version("1.21"); script_cve_id("CVE-2005-1016", "CVE-2005-1017", "CVE-2005-1417"); script_bugtraq_id(12968, 13466); name["english"] = "MaxWebPortal <= 1.33 Multiple Vulnerabilities"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote web server contains an ASP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of MaxWebPortal that is prone to multiple input validation vulnerabilities: - Multiple SQL Injection Vulnerabilities An attacker can inject SQL statements via various scripts to manipulate database queries. - A Cross-Site Scripting Vulnerability An attacker can pass arbitrary HTML and script code via the 'banner' parameter of the 'links_add_form.asp' script to be executed by a user's browser in the context of the affected website whenever he views the malicious link." ); script_set_attribute(attribute:"see_also", value:"http://www.hackerscenter.com/archive/view.asp?id=1807" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(89); script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/01"); script_cvs_date("Date: 2018/06/13 18:56:28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for multiple vulnerabilities in MaxWebPortal <= 1.33"); script_category(ACT_MIXED_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencie("cross_site_scripting.nasl", "http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/ASP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_asp(port:port)) exit(0, "The web server on port "+port+" does not support ASP"); # Some variables to use when trying an exploit. # - a url to submit. # nb: gettimeofday() ensures the URL is unique (otherwise, # MaxWebPortal will reject the submission). new_url = string("http://www.example.com/", gettimeofday()); # - the submitter's email address. from = get_kb_item("SMTP/headers/From"); if (!from) from = "[email protected]"; # - a simple alert to display "Nessus was here". xss = "<script>alert('Nessus was here');</script>"; # nb: the url-encoded version is what we need to pass in. exss = "%3Cscript%3Ealert('Nessus%20was%20here')%3B%3C%2Fscript%3E"; # Check various directories for MaxWebPortal. foreach dir (cgi_dirs()) { # Pull up the link add page. w = http_send_recv3(method:"GET", item:string(dir, "/links_add_form.asp"), port:port, exit_on_fail: 1); res = w[2]; # If safe checks are enabled... if (safe_checks()) { # Test the version number. # # nb: a more complete version number can be found in "site_info.asp". if (egrep(string:res, pattern:'<title="Powered By: MaxWebPortal.info Version 1\\.([0-2]\|3[0-3])', icase:TRUE)) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } } # Else try the exploit as long as the server itself isn't # vulnerable to XSS attacks. # # nb: this will not catch those forums that don't accept submissions # or accept them only from logged-in users. else if (!get_kb_item("www/"+port+"/generic_xss")) { # We need an existing category. pat = 'option value="([0-9]+)">'; matches = egrep(pattern:pat, string:res, icase:TRUE); foreach match (split(matches)) { match = chomp(match); cat = eregmatch(pattern:pat, string:match, icase:TRUE); if (!isnull(cat)) { cat = cat[1]; break; } } # If we don't have one, take a wild guess. if (isnull(cat)) cat = 2; postdata = string( "cat=", cat, "&", "name=Nessus+Plugin+Test&", "url=", new_url, "&", "mail=", from, "&", "des=Generated+automatically+by+", SCRIPT_NAME, "&", "key=&", "banner=%3E", exss, "&", "B1=Submit" ); w = http_send_recv3(method:"POST", port: port, item: dir+"/links_add_url.asp", content_type: "application/x-www-form-urlencoded", exit_on_fail: 1, data: postdata); # If we see our exploit, there's a problem. if (xss >< res) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); exit(0); } } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References