CVE-2014-6030 in SelectSurvey.NET
Summary
by MITRE
Multiple SQL injection vulnerabilities in ClassApps SelectSurvey.NET before 4.125.002 allow (1) remote attackers to execute arbitrary SQL commands via the SurveyID parameter to survey/ReviewReadOnlySurvey.aspx or (2) remote authenticated users to execute arbitrary SQL commands via the SurveyID parameter to survey/UploadImagePopupToDb.aspx.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/18/2025
The vulnerability identified as CVE-2014-6030 represents a critical SQL injection flaw in ClassApps SelectSurvey.NET version 4.125.002 and earlier, exposing the application to unauthorized command execution through improper input validation. This vulnerability affects two distinct endpoints within the application's survey management functionality, specifically survey/ReviewReadOnlySurvey.aspx and survey/UploadImagePopupToDb.aspx, where the SurveyID parameter serves as the primary attack vector for malicious SQL command injection attempts.
The technical exploitation of this vulnerability occurs when the application fails to properly sanitize or escape user-supplied input passed through the SurveyID parameter. This weakness allows attackers to inject malicious SQL code that gets executed within the database context, potentially enabling full database compromise. The vulnerability manifests differently depending on the attack scenario, with remote attackers capable of exploiting the issue without authentication against the ReviewReadOnlySurvey.aspx endpoint, while authenticated users can leverage the vulnerability at the UploadImagePopupToDb.aspx endpoint. Both attack vectors demonstrate the same underlying flaw in input validation and query construction processes within the application's backend.
The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could enable attackers to execute arbitrary database commands, potentially leading to complete system compromise. Attackers could leverage this vulnerability to extract sensitive information, modify database contents, or even escalate privileges within the database environment. The remote execution capability without authentication makes this particularly dangerous for web applications, as it allows attackers to exploit the vulnerability from anywhere on the internet without requiring valid user credentials. This represents a significant risk to organizations relying on the SelectSurvey.NET platform for survey management and data collection.
Security practitioners should implement immediate mitigations including input validation and parameterized queries to prevent SQL injection attacks. The CWE-89 standard categorizes this vulnerability as a classic SQL injection flaw, while the MITRE ATT&CK framework would classify this under the T1190 technique for exploitation of remote services. Organizations should ensure all instances of SelectSurvey.NET are updated to version 4.125.002 or later, and implement proper input sanitization measures including parameterized database queries, input length validation, and proper error handling to prevent information leakage. Additionally, network segmentation and access controls should be implemented to limit exposure of vulnerable endpoints, while regular security assessments should be conducted to identify similar vulnerabilities in other application components.