Executive Summary
Summary | |
---|---|
Title | SkyPortal contains multiple SQL injection vulnerabilities |
Informations | |||
---|---|---|---|
Name | VU#315107 | First vendor Publication | 2008-06-11 |
Vendor | VU-CERT | Last vendor Modification | 2008-06-11 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#315107SkyPortal contains multiple SQL injection vulnerabilitiesOverviewSkyPortal RC6 contains multiple SQL injection vulnerabilities which could allow a remote, unauthenticated attacker to gain access to the back-end database and to add, modify or remove data.I. DescriptionSkyPortal is a modular web portal and online community system that includes web-based administration, user selectable skins, user control panel and additional modules such as Public Events Calendar, Classifieds Manager, WebLinks Manager, Download Manager, Article Manager, and Picture Manager.There are multiple vulnerabilities in a number of pages and functions. These include nc_top.asp, inc_bookmarks.asp, inc_profile_functions.asp, inc_SUBSCRIPTIONS.asp, Avatar_URL, LINK1, and LINK2. Processing of maliciously crafted SQL commands to any of these functions could trigger the vulnerabilities.
References
The BugReport Security Research & Penetration Testing Group is credited with the discovery of these vulnerabilities. This document was written by Joseph Pruszynski.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/315107 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
41046 | SkyPortal cp_main.asp Multiple Parameter SQL Injection |
41045 | SkyPortal inc_SUBSCRIPTIONS.asp Unspecified Parameter SQL Injection |
41044 | SkyPortal inc_profile_functions.asp Unspecified Parameter SQL Injection |
41043 | SkyPortal inc_bookmarks.asp Unspecified Parameter SQL Injection |
41042 | SkyPortal nc_top.asp Unspecified Parameter SQL Injection |