Detections
Analytics

WebStores 2000 browse_item_details.asp SQL Injection

high Nessus Plugin ID 11692

Language:

Synopsis

The remote web server contains an ASP application that is prone to SQL injection attacks.

Description

The remote web server is running WebStores 2000, a set of ASP scripts designed to set up an e-commerce store.

There is a flaw in the version of WebStores used on the remote host that may allow an attacker to make arbitrary SQL statements to the backend database. An attacker may be able to exploit this issue to add administrative accounts, execute arbitrary commands using the 'xp_cmdshell' function, and the like.

Solution

Unknown at this time.

See Also

https://marc.info/?l=bugtraq&m=107712159425226&w=2

Plugin Details

Severity: High

ID: 11692

File Name: webstores_browseitemdetails_sql_injection.nasl

Version: 1.27

Type: remote

Family: CGI abuses

Published: 6/3/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/ASP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2/18/2004

Reference Information

CVE: CVE-2004-0304

BID: 7766