Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2009-2022 Tenable Network Security, Inc.EACCELERATOR_ENCODER_ACCESSIBLE.NASL
HistoryJul 22, 2009 - 12:00 a.m.

eAccelerator encoder.php File Backup

2009-07-2200:00:00
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.
www.tenable.com
22

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

85.8%

JSON

The remote web server appears to be using eAccelerator, an open source extension for PHP designed to accelerate, optimize, and cache PHP scripts.

The script ‘encoder.php’ included with the installation of eAccelerator on the remote host fails to sanitize user-supplied input to the ‘source’ and ‘target’ parameters before using it to copy files from one location (possibly even a third-party site accessible via FTP or SMB) to another. An unauthenticated, remote attacker may be able to leverage this issue to disclose sensitive information, overwrite important files, or even execute arbitrary code, all subject to the privileges of the web server user id.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(40349);
  script_version("1.18");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2009-2353");
  script_bugtraq_id(35917);

  script_name(english:"eAccelerator encoder.php File Backup");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that can allow
execution of arbitrary code remotely.");
  script_set_attribute(attribute:"description", value:
"The remote web server appears to be using eAccelerator, an open source
extension for PHP designed to accelerate, optimize, and cache PHP
scripts.

The script 'encoder.php' included with the installation of
eAccelerator on the remote host fails to sanitize user-supplied input
to the 'source' and 'target' parameters before using it to copy files
from one location (possibly even a third-party site accessible via FTP
or SMB) to another.  An unauthenticated, remote attacker may be able to
leverage this issue to disclose sensitive information, overwrite
important files, or even execute arbitrary code, all subject to the
privileges of the web server user id.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/504695/30/0/threaded");
  script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_cwe_id(94);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:eaccelerator:eaccelerator");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0, "Web server does not support PHP scripts.");


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/eaccelerator", "/eAccelerator", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  # Make sure the affected script exists.
  url = string(dir, "/encoder.php");

  res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);

  # If so ...
  if (
    '<title>eAccelerator Encoder</title>' >< res[2] &&
    'input type="text" name="source"' >< res[2] &&
    'input type="text" name="target"' >< res[2]
  )
  {
    # Try to generate an error message involving the target directory.
    #
    # nb: this won't actually create the directory because the script
    #     calls PHP's mkdir() function without the recursion flag.
    source = ".";
    target = string("NESSUS/", SCRIPT_NAME, "/", unixtime());

    postdata = string(
      "source=", source, "&",
      "target=", target, "&",
      "suffixies=php&",
      "submit=OK"
    );

    req = http_mk_post_req(
      port        : port,
      item        : url, 
      data        : postdata,
      add_headers : make_array(
        "Content-Type", "application/x-www-form-urlencoded"
      )
    );
    res = http_send_recv_req(port:port, req:req, exit_on_fail: 1);

    # There's a problem if we couldn't create the target directory.
    if (string("ERROR: Can't create destination directory ", '"', target, '"') >< res[2])
    {
      if (report_verbosity > 0)
      {
        req_str = http_mk_buffer_from_req(req:req);

        report = string(
          "\n",
          "Nessus was able to verify the issue exists using the following\n",
          "request :\n",
          "\n",
          crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
          req_str, "\n",
          crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
        );
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
  }
}
exit(0, "The host is not affected.");
VendorProductVersionCPE
eacceleratoreacceleratorcpe:/a:eaccelerator:eaccelerator

Related

openvas 2
cvelist 1
nvd 1
prion 1
cve 1
openvas
openvas
Mandrake Security Advisory MDVSA-2009:188 (php4-eaccelerator)
2009-08-17 00:00:00
Mandrake Security Advisory MDVSA-2009:188 (php4-eaccelerator)
2009-08-17 00:00:00
cvelist
cvelist
CVE-2009-2353
2009-07-07 23:00:00
nvd
nvd
CVE-2009-2353
2009-07-07 23:30:00
prion
prion
Design/Logic Flaw
2009-07-07 23:30:00
cve
cve
CVE-2009-2353
2009-07-07 23:30:00

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

85.8%

JSON
Related for EACCELERATOR_ENCODER_ACCESSIBLE.NASL
openvas2cvelist1nvd1prion1cve1