ID DRUPAL_PRIV_ESCALATION.NASL Type nessus Reporter This script is Copyright (C) 2005-2021 Tenable Network Security, Inc. Modified 2005-07-08T00:00:00
Description
According to its banner, the version of Drupal running on the remote
host is affected by a privilege escalation vulnerability due to an
improperly implemented input check. An attacker can exploit this, when
public registration is enabled, to gain elevated privileges.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(18641);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2005-1871");
script_bugtraq_id(13852);
script_name(english:"Drupal Unspecified Privilege Escalation");
script_summary(english:"Checks the version of Drupal.");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
privilege escalation vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of Drupal running on the remote
host is affected by a privilege escalation vulnerability due to an
improperly implemented input check. An attacker can exploit this, when
public registration is enabled, to gain elevated privileges." );
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/files/sa-2005-001/advisory.txt");
script_set_attribute(attribute:"solution", value:
"Upgrade to Drupal version 4.4.3 / 4.5.3 / 4.6.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:W/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/03");
script_set_attribute(attribute:"patch_publication_date", value:"2005/06/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/08");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
script_dependencies("drupal_detect.nasl");
script_require_ports("Services/www", 80);
script_require_keys("www/PHP", "installed_sw/Drupal", "Settings/ParanoidReport");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "Drupal";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port,
exit_if_unknown_ver : TRUE
);
dir = install['path'];
version = install['version'];
loc = build_url(port:port, qs:dir);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
# Report on vulnerable (4.4.0-4.4.2; 4.5.0-4.5.2; 4.6.0)
if (version =~ "^4\.(4\.[0-2]|5\.[0-2]|6\.0)")
{
if (report_verbosity > 0)
{
report =
'\n URL : ' + loc +
'\n Installed version : ' + version +
'\n Fixed version : 4.4.3 / 4.5.3 / 4.6.1' +
'\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, loc, version);
{"id": "DRUPAL_PRIV_ESCALATION.NASL", "bulletinFamily": "scanner", "title": "Drupal Unspecified Privilege Escalation", "description": "According to its banner, the version of Drupal running on the remote\nhost is affected by a privilege escalation vulnerability due to an \nimproperly implemented input check. An attacker can exploit this, when\npublic registration is enabled, to gain elevated privileges.", "published": "2005-07-08T00:00:00", "modified": "2005-07-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/18641", "reporter": "This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.", "references": ["https://www.drupal.org/files/sa-2005-001/advisory.txt"], "cvelist": ["CVE-2005-1871"], "type": "nessus", "lastseen": "2021-01-20T10:04:12", "edition": 24, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1871"]}, {"type": "osvdb", "idList": ["OSVDB:17028"]}], "modified": "2021-01-20T10:04:12", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-01-20T10:04:12", "rev": 2}, "vulnersScore": 7.5}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18641);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2005-1871\");\n script_bugtraq_id(13852);\n\n script_name(english:\"Drupal Unspecified Privilege Escalation\");\n script_summary(english:\"Checks the version of Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by a\nprivilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Drupal running on the remote\nhost is affected by a privilege escalation vulnerability due to an \nimproperly implemented input check. An attacker can exploit this, when\npublic registration is enabled, to gain elevated privileges.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/files/sa-2005-001/advisory.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 4.4.3 / 4.5.3 / 4.6.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:W/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/06/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\", \"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Drupal\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\n\nloc = build_url(port:port, qs:dir);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# Report on vulnerable (4.4.0-4.4.2; 4.5.0-4.5.2; 4.6.0)\nif (version =~ \"^4\\.(4\\.[0-2]|5\\.[0-2]|6\\.0)\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + loc +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.4.3 / 4.5.3 / 4.6.1' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, loc, version);\n", "naslFamily": "CGI abuses", "pluginID": "18641", "cpe": ["cpe:/a:drupal:drupal"], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:24:36", "description": "Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an \"input check\" that \"is not implemented properly.\"", "edition": 4, "cvss3": {}, "published": "2005-06-09T04:00:00", "title": "CVE-2005-1871", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1871"], "modified": "2016-10-18T03:23:00", "cpe": ["cpe:/a:drupal:drupal:4.5.0", "cpe:/a:drupal:drupal:4.4.0", "cpe:/a:drupal:drupal:4.4.1", "cpe:/a:drupal:drupal:4.6.0", "cpe:/a:drupal:drupal:4.4.2", "cpe:/a:drupal:drupal:4.5.1", "cpe:/a:drupal:drupal:4.5.2"], "id": "CVE-2005-1871", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1871", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:drupal:drupal:4.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:4.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:4.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:4.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:drupal:drupal:4.4.2:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "cvelist": ["CVE-2005-1871"], "edition": 1, "description": "## Vulnerability Description\nDrupal contains a flaw that may allow a malicious user to bypass security restrictions. The issue is due to an unspecified input validation error in the privilege system. It is possible that the flaw may allow an attacker to gain administrative privileges resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.4.3, 4.5.3, 4.6.1, or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nDrupal contains a flaw that may allow a malicious user to bypass security restrictions. The issue is due to an unspecified input validation error in the privilege system. It is possible that the flaw may allow an attacker to gain administrative privileges resulting in a loss of integrity.\n## References:\nVendor URL: http://drupal.org/\n[Secunia Advisory ID:15372](https://secuniaresearch.flexerasoftware.com/advisories/15372/)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0010.html\nKeyword: DRUPAL-SA-2005-001\n[CVE-2005-1871](https://vulners.com/cve/CVE-2005-1871)\n", "modified": "2005-06-03T10:07:50", "published": "2005-06-03T10:07:50", "href": "https://vulners.com/osvdb/OSVDB:17028", "id": "OSVDB:17028", "title": "Drupal Privilege Unspecified User Role Privilege Escalation", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}