Vulnerabilities > CVE-2007-0853 - Unspecified vulnerability in Techexcel Inc. Devtrack 6.0.3

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

SQL injection vulnerability in DevTrack 6.0.3 allows remote attackers to execute arbitrary SQL commands via the Username form field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Vulnerable Configurations

Part Description Count
Application
Techexcel_Inc.
1

Nessus

NASL familyCGI abuses
NASL idDEVTRACK_USERNAME_SQL_INJECTION.NASL
descriptionThe remote host is running DevTrack, a defect and project tracking tool. The DevTrack Web Services component installed on the remote host contains an ASP script that fails to sanitize user-supplied input to the
last seen2020-06-01
modified2020-06-02
plugin id24322
published2007-02-09
reporterThis script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/24322
titleDevTrack Web Service UserName Field SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(24322);
  script_version("1.19");

  script_cve_id("CVE-2007-0853");
  script_bugtraq_id(22460);

  script_name(english:"DevTrack Web Service UserName Field SQL Injection");
  script_summary(english:"Tries to generate a SQL error using DevTrack Web Service");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP application that is affected by
a SQL injection vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running DevTrack, a defect and project tracking
tool. 

The DevTrack Web Services component installed on the remote host
contains an ASP script that fails to sanitize user-supplied input to
the 'UserName' parameter before using it in a database query.  An
unauthenticated, remote attacker may be able to leverage this flaw to
manipulate SQL queries and uncover sensitive information, modify data,
or even launch attacks against the underlying database." );
 script_set_attribute(attribute:"solution", value:
"The vendor is rumoured to be incorporating a fix into DevTrack version
6.2." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/09");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/08");
 script_cvs_date("Date: 2018/11/28 22:47:41");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:techexcel_inc.:devtrack");
script_end_attributes();

 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/ASP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");


port = get_http_port(default:80, embedded: 0);
if (!can_host_asp(port:port)) exit(0);


# Loop through various directories.
#
# nb: the app uses "/TXWebService" by default so make sure we do too.
dirs = list_uniq(make_list("/TXWebService", cgi_dirs()));

foreach dir (dirs)
{
  # Try to generate a SQL error.
  exploit = string("'nessus", unixtime());
  r = http_send_recv3(method: "GET", port: port, item:string(
      dir, "/DataService.asmx/AuthUser?",
      "UserName=", urlencode(str:exploit), "&",
      # nb: leave it empty to return data.
      "Password=nasl&",
      "NeedCompress=0"
    ));
  if (isnull(r)) exit(0);

  # There's a problem if we see a SQL error.
  if (
    "ReturnMessage>Database Error" >< r[2] &&
    string("Incorrect syntax near ", exploit, "'") >< r[2]
  )
  {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}