Vulnerabilities > CVE-2005-1615 - SQL Injection vulnerability in Ultimate PHP Board ViewForum.PHP

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ultimate-php-board
nessus
exploit available
NVD
Published: 2005-05-16
Updated: 2016-10-18

Summary

viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 may allow remote attackers to read sensitive data via the postorder parameter, which is not properly handled by textdb.inc.php, possibly due to a SQL injection vulnerability.

Vulnerable Configurations

Part Description Count
Application
Ultimate_Php_Board
4

Exploit-Db

descriptionUltimate PHP Board 1.8/1.9 ViewForum.PHP SQL Injection Vulnerability. CVE-2005-1615. Webapps exploit for php platform
idEDB-ID:25655
last seen2016-02-03
modified2005-05-13
published2005-05-13
reporterMorinex Eneco
sourcehttps://www.exploit-db.com/download/25655/
titleUltimate PHP Board 1.8/1.9 ViewForum.PHP SQL Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idUPD_XSS_SQL_INJECTION.NASL
descriptionThe remote host is running Ultimate PHP Board (UPB). The remote version of this software is vulnerable to cross-site scripting attacks, and SQL injection flaws. Using a specially crafted URL, an attacker may execute arbitrary commands against the remote SQL database or use the remote server to set up a cross-site scripting attack.
last seen2020-06-01
modified2020-06-02
plugin id18260
published2005-05-14
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18260
titleUltimate PHP Board < 1.9.7 viewforum.php Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18260);
 script_version("1.20");

 script_cve_id("CVE-2005-1614", "CVE-2005-1615", "CVE-2005-1616");
 script_bugtraq_id(13621, 13622);
 
 script_name(english:"Ultimate PHP Board < 1.9.7 viewforum.php Multiple Vulnerabilities");

  script_set_attribute(
    attribute:"synopsis",
    value:"A web application on the remote host has multiple vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host is running Ultimate PHP Board (UPB).  The remote
version of this software is vulnerable to cross-site scripting
attacks, and SQL injection flaws.

Using a specially crafted URL, an attacker may execute arbitrary
commands against the remote SQL database or use the remote server to
set up a cross-site scripting attack."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/bugtraq/2005/May/164"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to UPB 1.9.7 or later."
  );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/13");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();
 
 script_summary(english:"Checks for UPB");
 
 script_category(ACT_GATHER_INFO);
  
 script_copyright(english:"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

# The script code starts here

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);


foreach d ( cgi_dirs() )
{
 req = http_get(item:string(d, "/index.php"), port:port);
 res = http_keepalive_send_recv(port:port, data:req);
 if( res == NULL ) exit(0);
 if(egrep(pattern:"Powered by UPB Version :.* (0\.|1\.([0-8][^0-9]|9[^0-9]|9\.[1-6][^0-9]))", string:res))
 {
 	security_hole(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
	exit(0);
 }
}

References