Vulnerabilities > CVE-2005-1779 - Unspecified vulnerability in Maxwebportal

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
maxwebportal
nessus
exploit available

Summary

SQL injection vulnerability in password.asp in MaxWebPortal 1.35, 1.36, 2.0, and 20050418 Next allows remote attackers to execute arbitrary SQL commands via the memKey parameter.

Exploit-Db

descriptionMaxwebportal <= 1.36 password.asp Change Password Exploit (3 - perl). CVE-2005-1779. Webapps exploit for asp platform
idEDB-ID:1010
last seen2016-01-31
modified2005-05-26
published2005-05-26
reporterAlpha_Programmer
sourcehttps://www.exploit-db.com/download/1010/
titleMaxwebportal <= 1.36 password.asp Change Password Exploit 3 - perl

Nessus

NASL familyCGI abuses
NASL idMAXWEBPORTAL_MEMKEY_SQL_INJECTION.NASL
descriptionThe remote host is running a version of MaxWebPortal that fails to properly sanitize input passed through the
last seen2020-06-01
modified2020-06-02
plugin id18370
published2005-05-26
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18370
titleMaxWebPortal memKey Parameter SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(18370);
  script_version("1.14");
  script_cve_id("CVE-2005-1779");
  script_bugtraq_id(13762);

  script_name(english:"MaxWebPortal memKey Parameter SQL Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP script that is vulnerable to a
SQL injection attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of MaxWebPortal that fails to
properly sanitize input passed through the 'memKey' parameter to the
'password.asp' script.  An attacker can exploit this flaw to modify
database queries resulting in the disclosure of sensitive information,
modification of data (for example, users' passwords) and even attacks
against the underlying database." );
 script_set_attribute(attribute:"see_also", value:"http://securitytracker.com/alerts/2005/May/1014048.html" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/24");
 script_cvs_date("Date: 2018/06/13 18:56:28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

  script_summary(english:"Checks for SQL injection vulnerability in MaxWebPortal's password.asp");
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/ASP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_asp(port:port)) exit(0, "The web server on port "+port+" does not support ASP");


# Iterate through CGI directories.
foreach dir (cgi_dirs()) {
  # Pull up the password form.
  w = http_send_recv3(method:"GET", item:string(dir, "/password.asp"), port:port);
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # If it's from MaxWebPortal...
  if ("This page is generated by MaxWebPortal" >< res) {
    # Try to exploit the flaw.
    postdata = string(
      "pass=123456&",
      "pass2=123456&",
      "memId=-1&",
      # nb: this will result in a syntax error.
      "memKey=", SCRIPT_NAME, "'"
    );
    w = http_send_recv3(method:"POST", port: port,
      item: dir+"/password.asp?mode=reset",
      content_type: "application/x-www-form-urlencoded",
      data: postdata);
    if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
    res = w[2];

    if (
      (
        "<p>Microsoft OLE DB Provider for SQL Server" >< res &&
        egrep(string:res, pattern:string("Unclosed quotation mark .+'", SCRIPT_NAME), icase:TRUE)
      ) ||
      (
        "<p>Microsoft JET Database Engine</font>" >< res &&
        egrep(string:res, pattern:string("Syntax error.+M_KEY = '", SCRIPT_NAME), icase:TRUE)
      )
    ) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}