Synopsis
The remote web server has a ASP script that is affected by a SQL injection vulnerability.
Description
The remote host is using the VP-ASP software suite.
This set of CGIs is vulnerable to a SQL injection bug which may allow an attacker to take the control of the server as an administrator. From there, he can obtain the list of customers, steal their credit card information and more.
In addition to this, this software is vulnerable to various file disclosure and cross-site scripting flaws.
Solution
Upgrade to the latest version of VP-ASP.
Plugin Details
File Name: vp-asp_sql_injection.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Reference Information
CVE: CVE-2002-1919
BID: 4861
CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990