Vulnerabilities > CVE-2005-2989 - SQL Injection vulnerability in Deluxebb 1.0/1.05

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
deluxebb
nessus
exploit available
NVD
Published: 2005-09-20
Updated: 2011-03-08

Summary

Multiple SQL injection vulnerabilities in DeluxeBB 1.0 and 1.0.5 allow remote attackers to execute arbitrary SQL commands via the (1) tid parameter to topic.php, the uid parameter to (2) misc.php or (3) pm.php, or the fid parameter to (3) forums.php or (4) newpost.php.

Vulnerable Configurations

Part Description Count
Application
Deluxebb
2

Exploit-Db

  • descriptionDeluxeBB 1.0 forums.php fid Parameter SQL Injection. CVE-2005-2989. Webapps exploit for php platform
    idEDB-ID:26266
    last seen2016-02-03
    modified2005-09-15
    published2005-09-15
    reporterabducter
    sourcehttps://www.exploit-db.com/download/26266/
    titleDeluxeBB 1.0 forums.php fid Parameter SQL Injection
  • descriptionDeluxeBB 1.0 topic.php tid Parameter SQL Injection. CVE-2005-2989. Webapps exploit for php platform
    idEDB-ID:26264
    last seen2016-02-03
    modified2005-09-15
    published2005-09-15
    reporterabducter
    sourcehttps://www.exploit-db.com/download/26264/
    titleDeluxeBB 1.0 topic.php tid Parameter SQL Injection
  • descriptionDeluxeBB 1.0 pm.php uid Parameter SQL Injection. CVE-2005-2989. Webapps exploit for php platform
    idEDB-ID:26267
    last seen2016-02-03
    modified2005-09-15
    published2005-09-15
    reporterabducter
    sourcehttps://www.exploit-db.com/download/26267/
    titleDeluxeBB 1.0 pm.php uid Parameter SQL Injection

Nessus

NASL familyCGI abuses
NASL idDELUXEBB_SQL_INJECTION.NASL
descriptionThe remote host is using DeluxeBB, a web application forum written in PHP. The installed version of this software fails to sanitize input to several parameters and scripts before using it to generate SQL queries. Provided PHP
last seen2020-06-01
modified2020-06-02
plugin id19750
published2005-09-19
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19750
titleDeluxeBB Multiple Scripts SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(19750);
 script_version("1.19");

 script_cve_id("CVE-2005-2989");
 script_bugtraq_id(14851);
 script_xref(name:"Secunia", value:"16819");
 
 script_name(english:"DeluxeBB Multiple Scripts SQL Injection");
 script_summary(english:"Checks DeluxeBB version");

 script_set_attribute(attribute:"synopsis", value:
"The remote host contains a PHP application that is affected by
multiple SQL injection flaws.");
 script_set_attribute(attribute:"description", value:
"The remote host is using DeluxeBB, a web application forum written in
PHP. 

The installed version of this software fails to sanitize input to
several parameters and scripts before using it to generate SQL
queries.  Provided PHP's 'magic_quotes_gpc' setting is disabled, an
attacker may be able to leverage these issues to manipulate database
queries.");
 script_set_attribute(attribute:"solution", value:
"Upgrade to DeluxeBB version 1.05 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value:
"2005/09/19");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/15");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

#
# The script code starts here
#

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);
if ( ! can_host_php(port:port) ) exit(0);

function check(loc, port)
{
 local_var r, req;

 req = http_get(item:string(loc, "/topic.php?tid='select"), port:port);
 r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
 if(isnull(r))exit(0);
 if (("Error querying the database" >< r) && ("DeluxeBB tried to execute: SELECT" >< r))
 {
   security_hole(port);
   set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
   exit(0);
 }
}

foreach dir (cgi_dirs())
{
 check(loc:dir, port:port);
}

References