OpenBB index.php CID Parameter SQL Injection

High Nessus Plugin ID 11550


The remote web server has an application that is affected by
a SQL injection vulnerability.


The remote host seems to be running OpenBB, a forum management

There is a bug which allows an attacker to inject SQL command
when passing a single quote (') to the CID argument of the
file index.php, as in : GET /index.php?CID='<sql query>

An attacker may use this flaw to gain credentials or to modify
your database.


If the remote host is running OpenBB,
upgrade to the latest version

Plugin Details

Severity: High

ID: 11550

File Name: openbb_sql_injection.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 2003/04/26

Modified: 2018/08/08

Dependencies: 10107, 17975

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2003/04/25

Reference Information

BID: 7401