Vulnerabilities > CVE-2005-2673 - SQL Injection vulnerability in Woltlab Burning Board 2.2.2/2.2.3

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
woltlab
nessus
exploit available

Summary

SQL injection vulnerability in modcp.php in WoltLab Burning Board 2.2.2 and 2.3.3 allows remote authenticated attackers to execute arbitrary SQL commands via the (1) x or (2) y parameters.

Vulnerable Configurations

Part Description Count
Application
Woltlab
2

Exploit-Db

descriptionWoltlab Burning Board 2.x ModCP.PHP SQL Injection Vulnerability. CVE-2005-2673. Webapps exploit for php platform
idEDB-ID:26176
last seen2016-02-03
modified2005-08-20
published2005-08-20
reporter[R]
sourcehttps://www.exploit-db.com/download/26176/
titleWoltlab Burning Board 2.x ModCP.PHP SQL Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idBURNING_BOARD_XY_SQL_INJECTION.NASL
descriptionThe remote version of Burning Board / Burning Board Lite is prone to SQL injection attacks due to its failure to sanitize user-supplied input to the
last seen2020-06-01
modified2020-06-02
plugin id19524
published2005-08-30
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19524
titleWoltlab Burning Board modcp.php Multiple Parameter SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(19524);
  script_version ("1.18");

  script_cve_id("CVE-2005-2673");
  script_bugtraq_id(14617);

  script_name(english:"Woltlab Burning Board modcp.php Multiple Parameter SQL Injection");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to SQL
injection attacks." );
 script_set_attribute(attribute:"description", value:
"The remote version of Burning Board / Burning Board Lite is prone to
SQL injection attacks due to its failure to sanitize user-supplied
input to the 'x' and 'y' parameters of the 'modcp.php' script before
using it in database queries.  Provided an attacker has moderator
privileges, these flaws may allow him to uncover sensitive information
(such as password hashes), modify existing data, and launch attacks
against the underlying database." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/408660" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/20");
 script_cvs_date("Date: 2018/11/15 20:50:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:woltlab:burning_board");
script_end_attributes();

 
  script_summary(english:"Checks for SQL injection vulnerabilities in Burning Board modcp.php script");
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("burning_board_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);

# Test any installs.
wbb = get_kb_list(string("www/", port, "/burning_board"));
wbblite = get_kb_list(string("www/", port, "/burning_board_lite"));
if (isnull(wbb)) {
  if (isnull(wbblite)) exit(0);
  else installs = make_list(wbblite);
}
else if (isnull(wbblite)) {
  if (isnull(wbb)) exit(0);
  else installs = make_list(wbb);
}
else {
  kb1 = get_kb_list(string("www/", port, "/burning_board"));
  kb2 = get_kb_list(string("www/", port, "/burning_board_lite"));
  if ( isnull(kb1) ) kb1 = make_list();
  else kb1 = make_list(kb1);
  if ( isnull(kb2) ) kb1 = make_list();
  else kb2 = make_list(kb2);
  installs = make_list( kb1, kb2 );
}
foreach install (installs) {
  matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
  if (!isnull(matches)) {
    ver = matches[1];

    if (ver =~ "^2\.([0-2]|3\.[0-3])") {
      security_warning(port);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}