Vulnerabilities > CVE-2005-2045 - SQL-Injection vulnerability in Duware Duportal PRO 3.4.3
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple SQL injection vulnerabilities in DUware DUportal PRO 3.4.3 allow remote attackers to execute arbitrary SQL commands via the (1) iChannel parameter to default.asp, (2) iData parameter to detail.asp, (3) iMem parameter to members.asp, (4) iCat parameter to cat.asp, (5) offset parameter to members_listing_approval.asp, or (6) iChannel parameter to channels_edit.asp.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
| NASL family | CGI abuses |
| NASL id | DUPORTAL_SQL_INJECTIONS2.NASL |
| description | The remote host is running DUportal Pro, an ASP-based product suite from DUware for building web portals / online communities. The installed version of DUportal Pro fails to properly sanitize user- supplied input in several instances before using it in SQL queries. By exploiting these flaws, an attacker can affect database queries, possibly disclosing sensitive data and launching attacks against the underlying database. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 18569 |
| published | 2005-06-28 |
| reporter | This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/18569 |
| title | DUportal Pro Multiple Scripts SQL Injection (2) |