CVE-2004-2212

Vulnerability

AliveSites Forums version 2.0 contains a SQL injection vulnerability in the forum.asp page. The forum_id parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. This affects all installations of AliveSites Forums 2.0 [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the forum.asp page with a malicious forum_id parameter. No authentication is required, as the parameter is processed before any user login. The attacker can inject SQL statements to manipulate the database.

Impact

Successful exploitation allows a remote attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized disclosure of sensitive data, modification of database content, or potentially full compromise of the application's data.

Mitigation

No official patch or fixed version has been released for AliveSites Forums 2.0. The vendor may have discontinued support. As of the publication date (2004-12-31), no workaround is documented. Users should consider migrating to an alternative forum software [1].