Vulnerabilities > CVE-2005-1612 - SQL Injection vulnerability in Openbb 1.0.8

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
openbb
nessus
exploit available

Summary

SQL injection vulnerability in read.php in Open Bulletin Board (OpenBB) 1.0.8 allows remote attackers to execute arbitrary SQL commands via the TID parameter.

Vulnerable Configurations

Part Description Count
Application
Openbb
1

Exploit-Db

descriptionOpenBB 1.0.8 Read.PHP SQL Injection Vulnerability. CVE-2005-1612 . Webapps exploit for php platform
idEDB-ID:25656
last seen2016-02-03
modified2005-05-13
published2005-05-13
reporterMegasky
sourcehttps://www.exploit-db.com/download/25656/
titleOpenBB 1.0.8 Read.PHP SQL Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idOPENBB_FLAWS.NASL
descriptionThe remote host seems to be running OpenBB, a forum management system written in PHP. The remote version of this software is vulnerable to cross-site scripting attacks, and SQL injection flaws. Using a specially crafted URL, an attacker may execute arbitrary commands against the remote SQL database or use the remote server to set up a cross-site scripting attack.
last seen2020-06-01
modified2020-06-02
plugin id18259
published2005-05-14
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18259
titleOpenBB < 1.0.9 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18259);
 script_version("1.17");

 script_cve_id("CVE-2005-1612", "CVE-2005-1613");
 script_bugtraq_id(13624, 13625);
 
 script_name(english:"OpenBB < 1.0.9 Multiple Vulnerabilities");
 script_set_attribute(attribute:"synopsis", value:
"A remote web application is vulnerable to several flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host seems to be running OpenBB, a forum management system 
written in PHP.

The remote version of this software is vulnerable to cross-site 
scripting attacks, and SQL injection flaws.

Using a specially crafted URL, an attacker may execute arbitrary 
commands against the remote SQL database or use the remote server to set
up a cross-site scripting attack." );
 script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.0.9 of this software or newer" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/12");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Detects openBB version");
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_dependencies("http_version.nasl");
 script_require_keys("www/PHP");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);

if ( get_kb_item("www/" + port + "/generic_xss") ) exit(0);

foreach d ( cgi_dirs() )
{
 req = http_get(item:string(d, "/index.php"), port:port);
 res = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
 if( res == NULL ) exit(0);
 if (ereg(pattern:'Powered by <a href="http://www.openbb.com/" target="_blank">Open Bulletin Board</a>[^0-9]*1\\.(0[^0-9]|0\\.[0-8][^0-9])<br>', string:res))
 {
 	security_hole(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
	exit(0);
 }
}