CVE-2004-1588

Vulnerability

SQL injection vulnerability exists in GoSmart Message Board (ASP). The vulnerability affects the Forum.asp page via the QuestionNumber and Category parameters, and the Login_Exec.asp page via the Username and Password parameters. All versions of GoSmart Message Board at the time (2004) are affected. [1]

Exploitation

An unauthenticated remote attacker can exploit this by crafting HTTP requests with malicious SQL code in the specified parameters. For example, appending SQL code to QuestionNumber in a GET request or injecting via POST to Login_Exec.asp. The underlying database is Microsoft Access, limiting the attack to boolean-based or error-based SQL injection techniques. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands, potentially reading or modifying database contents, such as user credentials or forum data. While direct shell access is unlikely due to Access database limitations, sensitive information disclosure is possible. [1]

Mitigation

No official patch was released by the vendor; the product is likely discontinued. Users should upgrade to a supported alternative or implement a web application firewall with rules to block SQL injection patterns. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]