Ikonboard FUNC.pm lang Cookie Arbitrary Command Execution

2003-05-08T00:00:00
ID IKONBOARD_CMD_EXEC.NASL
Type nessus
Reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
Modified 2020-01-02T00:00:00

Description

The remote server is running IkonBoard, a forum management CGI.

The installed version fails to properly sanitize the

                                        
                                            #
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(11605);
 script_bugtraq_id(7361);
 script_cve_id("CVE-2003-0770");
 script_version ("1.19");
 
 script_name(english:"Ikonboard FUNC.pm lang Cookie Arbitrary Command Execution");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is hosting a CGI application that is affected by
a remote command execution vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote server is running IkonBoard, a forum management CGI.

The installed version fails to properly sanitize the 'lang' cookie
when it contains illegal characters.  An attacker, exploiting this
flaw, could execute arbitrary code on the remote host when the cookie
is inserted into a Perl 'eval' statement." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Apr/30" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Sep/95" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Sep/248" );
 script_set_attribute(attribute:"solution", value:
"There is no known solution at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");


 script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2003/04/01");
 script_cvs_date("Date: 2018/11/15 20:50:17");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 summary["english"] = "Checks for Ikonboard.cgi";
 
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 family["english"] = "CGI abuses";
 script_family(english:family["english"]);
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

init_cookiejar();
foreach d (cgi_dirs())
{
 set_http_cookie(name: "lang", value: "%2E%00%22");
 r = http_send_recv3(method: "GET", item:d+"/ikonboard.cgi", port:port);
 if (isnull(r)) exit(0);
 if (ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string: r[0]))
 {
  if(egrep(pattern:".*EOF.*\(eval 6\) line 1", string:r[2]))
  	{
	security_hole(port);
	exit(0);
	}
 }
}