Vulnerabilities > CVE-2005-2048 - Unspecified vulnerability in Duware Duforum 3.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
duware
nessus
exploit available

Summary

Multiple SQL injection vulnerabilities in DUware DUforum 3.1, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via the (1) iMsg parameter to messages.asp, iFor parameter to (2) post.asp or (3) forums.asp, or (4) id parameter to userEdit.asp. NOTE: vectors 1 and 3 were later reported to affect version 3.0.

Vulnerable Configurations

Part Description Count
Application
Duware
1

Exploit-Db

  • descriptionDUware DUforum 3.0/3.1 forums.asp iFor Parameter SQL Injection. CVE-2005-2048. Webapps exploit for asp platform
    idEDB-ID:25870
    last seen2016-02-03
    modified2005-06-22
    published2005-06-22
    reporterDedi Dwianto
    sourcehttps://www.exploit-db.com/download/25870/
    titleDUware DUforum 3.0/3.1 forums.asp iFor Parameter SQL Injection
  • descriptionDUware DUforum 3.0/3.1 messages.asp iMsg Parameter SQL Injection. CVE-2005-2048 . Webapps exploit for asp platform
    idEDB-ID:25868
    last seen2016-02-03
    modified2005-06-22
    published2005-06-22
    reporterDedi Dwianto
    sourcehttps://www.exploit-db.com/download/25868/
    titleDUware DUforum 3.0/3.1 messages.asp iMsg Parameter SQL Injection
  • descriptionDUware DUforum 3.0/3.1 post.asp iFor Parameter SQL Injection. CVE-2005-2048. Webapps exploit for asp platform
    idEDB-ID:25869
    last seen2016-02-03
    modified2005-06-22
    published2005-06-22
    reporterDedi Dwianto
    sourcehttps://www.exploit-db.com/download/25869/
    titleDUware DUforum 3.0/3.1 post.asp iFor Parameter SQL Injection

Nessus

NASL familyCGI abuses
NASL idDUFORUM_SQL_INJECTIONS.NASL
descriptionThe remote host is running DUforum, a web-based message board written in ASP from DUware. The installed version of DUforum fails to properly sanitize user- supplied input in several instances before using it in SQL queries. By exploiting these flaws, an attacker can affect database queries, possibly disclosing sensitive data and launching attacks against the underlying database.
last seen2020-06-01
modified2020-06-02
plugin id18567
published2005-06-28
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18567
titleDUforum Multiple Scripts SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(18567);
  script_version("1.15");

  script_cve_id("CVE-2005-2048");
  script_bugtraq_id(14035);

  script_name(english:"DUforum Multiple Scripts SQL Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP application that is vulnerable
to multiple SQL injection attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host is running DUforum, a web-based message board written
in ASP from DUware. 

The installed version of DUforum fails to properly sanitize user-
supplied input in several instances before using it in SQL queries. 
By exploiting these flaws, an attacker can affect database queries,
possibly disclosing sensitive data and launching attacks against the
underlying database." );
 script_set_attribute(attribute:"see_also", value:"http://echo.or.id/adv/adv19-theday-2005.txt" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jun/175" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/06/22");
 script_cvs_date("Date: 2018/11/15 20:50:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for multiple SQL injection vulnerabilities in DUforum";
  script_summary(english:summary["english"]);
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/ASP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_asp(port:port)) exit(0);


# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit one of the flaws.
  u = string(
      dir, "/forums.asp?",
      "iFor=", SCRIPT_NAME, "'"
    );
  r = http_send_recv3(port:port, method: "GET", item: u);
  if (isnull(r)) exit(0);

  # There's a problem if...
  if (
    # it looks like DUforum and...
    'href="assets/DUforum.css" rel="stylesheet"' >< r[2] && 
    # there's a syntax error.
    string("Syntax error in string in query expression 'FOR_ID = ", SCRIPT_NAME, "'") >< r[2]
  ) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}