ID COUNTER_PHP_FILE_OVERWRITE.NASL Type nessus Reporter This script is Copyright (C) 2003-2021 Tenable Network Security, Inc. Modified 2021-01-19T00:00:00
Description
The remote host has the cgi 'counter.php' installed.
This CGI contains a flaw that can be abused by an attacker to overwrite arbitrary files on the system with the privileges of the web server.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# Ref: http://www.securitytracker.com/alerts/2003/Mar/1006368.html
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(11611);
script_version("1.17");
script_name(english:"PHP Topsites counter.php count_log_file Parameter Arbitrary File Overwrite");
script_summary(english:"Determine if counter.php is present");
script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host has a file overwrite
vulnerability." );
script_set_attribute(attribute:"description", value:
"The remote host has the cgi 'counter.php' installed.
This CGI contains a flaw that can be abused by an attacker to
overwrite arbitrary files on the system with the privileges of the
web server." );
script_set_attribute(
attribute:"solution",
value:"Remove this CGI from the web server."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/09");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2003-2021 Tenable Network Security, Inc.");
script_dependencie("find_service1.nasl", "http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("www/PHP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if(!can_host_php(port:port)) exit(0);
dir = make_list(cgi_dirs());
foreach d (dir)
{
url = string(d, '/counter.php?count_log_file=/nessus');
buf = http_send_recv3(method:"GET", item:url, port:port);
if( isnull(buf) ) exit(0);
if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:buf[2]) &&
"file(/nessus)" >< buf[2])
{
security_warning(port);
exit(0);
}
}
{"id": "COUNTER_PHP_FILE_OVERWRITE.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "PHP Topsites counter.php count_log_file Parameter Arbitrary File Overwrite", "description": "The remote host has the cgi 'counter.php' installed.\n\nThis CGI contains a flaw that can be abused by an attacker to overwrite arbitrary files on the system with the privileges of the web server.", "published": "2003-05-09T00:00:00", "modified": "2021-01-19T00:00:00", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cvss2": {}, "cvss3": {"score": null, "vector": null}, "href": "https://www.tenable.com/plugins/nessus/11611", "reporter": "This script is Copyright (C) 2003-2021 Tenable Network Security, Inc.", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-08-19T13:20:30", "viewCount": 4, "enchantments": {"dependencies": {}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "nessus", "idList": ["FIND_SERVICE1.NASL"]}]}, "exploitation": null, "vulnersScore": 0.4}, "pluginID": "11611", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# Ref: http://www.securitytracker.com/alerts/2003/Mar/1006368.html\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(11611);\n script_version(\"1.17\");\n\n script_name(english:\"PHP Topsites counter.php count_log_file Parameter Arbitrary File Overwrite\");\n script_summary(english:\"Determine if counter.php is present\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host has a file overwrite\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has the cgi 'counter.php' installed.\n\nThis CGI contains a flaw that can be abused by an attacker to\noverwrite arbitrary files on the system with the privileges of the\nweb server.\" );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Remove this CGI from the web server.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/05/09\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2003-2021 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif(!can_host_php(port:port)) exit(0);\n\ndir = make_list(cgi_dirs());\n\nforeach d (dir)\n{\n url = string(d, '/counter.php?count_log_file=/nessus');\n buf = http_send_recv3(method:\"GET\", item:url, port:port);\n if( isnull(buf) ) exit(0);\n\n if(ereg(pattern:\"^HTTP/[0-9]\\.[0-9] 200 \", string:buf[2]) &&\n \"file(/nessus)\" >< buf[2])\n {\n security_warning(port);\n exit(0);\n }\n}\n", "naslFamily": "CGI abuses", "cpe": [], "solution": "Remove this CGI from the web server.", "nessusSeverity": "Medium", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 0}}
