Vulnerabilities > CVE-2005-2398 - SQL Injection vulnerability in PHP Surveyor PHP Surveyor 0.98

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
php-surveyor
nessus
NVD
Published: 2005-07-27
Updated: 2017-07-11

Summary

Multiple SQL injection vulnerabilities in PHP Surveyor 0.98 allows remote attackers to execute arbitrary SQL commands via (1) the sid, start, and id parameters to browse.php, the sid parameter to (2) dataentry.php, (3) export.php, (4) admin.php, (5) conditions.php, (6) spss.php, (7) deletesurvey.php, (8) dumpsurvey.php, or (9) statistics.php, or the lid parameter to (10) labels.php or (11) dumplabel.php.

Vulnerable Configurations

Part Description Count
Application
Php_Surveyor
1

Nessus

NASL familyCGI abuses
NASL idPHP_SURVEYOR_XSS_SQL.NASL
descriptionThe remote host is running PHP Surveyor, a set of PHP scripts used to develop, publish and collect responses from surveys. The remote version of this software contains multiple vulnerabilities that can lead to SQL injection, path disclosure and cross-site scripting.
last seen2020-06-01
modified2020-06-02
plugin id19494
published2005-08-24
reporterCopyright (C) 2005-2018 Josh Zlatin-Amishav
sourcehttps://www.tenable.com/plugins/nessus/19494
titlePHP Surveyor Multiple Vulnerabilities
code
#
# Josh Zlatin-Amishav GPLv2 


include("compat.inc");

if(description)
{
 script_id(19494);
 script_version ("1.18");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id(
  "CVE-2005-2380", 
  "CVE-2005-2381", 
  "CVE-2005-2398", 
  "CVE-2005-2399"
 );
 script_bugtraq_id(14329, 14331);

 script_name(english:"PHP Surveyor Multiple Vulnerabilities");
 script_summary(english:"Checks for SQL injection in admin.php");

 script_set_attribute(attribute:"synopsis", value:
"A remote web application is affected by multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running PHP Surveyor, a set of PHP scripts used to
develop, publish and collect responses from surveys. 

The remote version of this software contains multiple vulnerabilities
that can lead to SQL injection, path disclosure and cross-site
scripting." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/405735" );
 script_set_attribute(attribute:"solution", value:"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/24");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/19");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe",value:"cpe:/a:phpsurveyor:phpsurveyor");
 script_end_attributes();

 script_category(ACT_ATTACK);

 script_family(english:"CGI abuses");
 script_copyright(english:"Copyright (C) 2005-2020 Josh Zlatin-Amishav");

 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("url_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);
if(!can_host_php(port:port)) exit(0);

foreach dir ( cgi_dirs() )
{
 req = http_get(
   item:string(
     dir, "/admin/admin.php?",
     "sid='"
   ), 
   port:port
 );
 res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);

 if ( ("<title>PHP Surveyor</title>" >< res) && ("not a valid MySQL result" >< res))
 {
        security_hole(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
        exit(0);
 }
}

References