VP-ASP shopexd.asp catalogid Parameter SQL Injection

high Nessus Plugin ID 11786

Language:

Synopsis

The remote web server has a ASP script that is affected by a SQL injection vulnerability.

Description

The remote host is using the VP-ASP software suite.

This set of CGIs is vulnerable to a SQL injection bug which may allow an attacker to take the control of the server as an administrator. From there, he can obtain the list of customers, steal their credit card information and more.

In addition to this, this software is vulnerable to various file disclosure and cross-site scripting flaws.

Solution

Upgrade to the latest version of VP-ASP.

Plugin Details

Severity: High

ID: 11786

File Name: vp-asp_sql_injection.nasl

Version: 1.22

Type: remote

Family: CGI abuses

Published: 7/8/2003

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2002-1919

BID: 4861

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990