Clever Copy connect.inc Direct Request Information Disclosure

2006-04-12T00:00:00
ID CLEVERCOPY_INFO_DISCLOSURE.NASL
Type nessus
Reporter Tenable
Modified 2018-06-13T00:00:00

Description

The remote host is running Clever Copy, a free web portal written in PHP.

The version of Clever Copy installed on the remote host fails to limit access to the 'admin/connect.inc' include file, which contains information used by the application to connect to a database. An unauthenticated attacker can view the contents of this file using a simple GET command and use the information to launch other attacks against the affected host.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(21215);
  script_version("1.19");

  script_cve_id("CVE-2006-1718");
  script_bugtraq_id(17461);

  script_name(english:"Clever Copy connect.inc Direct Request Information Disclosure");
  script_summary(english:"Reads Clever Copy's admin/connect.inc file");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
an information disclosure flaw." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Clever Copy, a free web portal written in
PHP. 

The version of Clever Copy installed on the remote host fails to limit
access to the 'admin/connect.inc' include file, which contains
information used by the application to connect to a database.  An
unauthenticated attacker can view the contents of this file using a
simple GET command and use the information to launch other attacks
against the affected host." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c952ae9c" );
 script_set_attribute(attribute:"solution", value:
"Limit access to Clever Copy's admin directory using, say, a .htaccess
file." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/04/12");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/04/07");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/blog", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  # Try to read the file.
  r = http_send_recv3(method:"GET", item:string(dir, "/admin/connect.inc"), port:port);
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if it looks like the file.
  if (egrep(pattern:"\$(Host|Dbase|User|Pass)[ \t]*=[ \t]*", string:res))
  {
    report = string(
      "\n",
      "Here are the contents of the file 'admin/connect.inc' that\n",
      "Nessus was able to read from the remote host :\n",
      "\n",
      data_protection::sanitize_user_full_redaction(output:res)
    );

    security_warning(port:port, extra:report);
    exit(0);
  }
}