CVE-2005-1224

Name of the Vulnerable Software and Affected Versions DUportal Pro version 3.4

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different API endpoints, including: the nChannel parameter to "/default.asp", "/cat.asp", or "/detail.asp", the iChannel parameter to "/search.asp", "/default.asp", "/result.asp", "/cat.asp", or "/detail.asp", the iCat parameter to "/cat.asp" or "/detail.asp", the iData parameter to "/detail.asp" or "/result.asp", the POL ID, POL PARENT, POL CATEGORY, CHA NAME, or CHA ID parameters to "/inc vote.asp", or the tfm order or tfm orderby parameters to "/toppages.asp".

Recommendations For version 3.4, consider disabling the SQL execution functionality until a patch is available. Restrict access to the vulnerable API endpoints, such as "/default.asp", "/cat.asp", "/detail.asp", "/search.asp", "/result.asp", "/inc vote.asp", and "/toppages.asp", to minimize the risk of exploitation. Avoid using the vulnerable parameters, such as nChannel, iChannel, iCat, iData, POL ID, POL PARENT, POL CATEGORY, CHA NAME, CHA ID, tfm order, and tfm orderby, in the affected API endpoints until the issue is resolved.