CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS
Percentile
73.3%
The remote host is running Limbo CMS, a content-management system written in PHP.
The version of Limbo CMS installed on the remote host fails to sanitize input to the ‘catid’ parameter of the ‘index.php’ script before using it in a database query. An unauthenticated attacker may be able to leverage this issue to manipulate SQL queries to uncover password hashes for arbitrary users of the affected application.
Note that successful exploitation requires that Limbo is configured to use MySQL for its database backend, which is not the default.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21558);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-2363");
script_bugtraq_id(17870);
script_name(english:"Limbo weblinks.html.php catid Parameter SQL Injection");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a SQL
injection issue.");
script_set_attribute(attribute:"description", value:
"The remote host is running Limbo CMS, a content-management system
written in PHP.
The version of Limbo CMS installed on the remote host fails to
sanitize input to the 'catid' parameter of the 'index.php' script
before using it in a database query. An unauthenticated attacker may
be able to leverage this issue to manipulate SQL queries to uncover
password hashes for arbitrary users of the affected application.
Note that successful exploitation requires that Limbo is configured to
use MySQL for its database backend, which is not the default.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/433221/30/0/threaded");
# http://web.archive.org/web/20070428083435/http://forum.limbofreak.com/index.php?topic=6.0
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3ecf65b1");
script_set_attribute(attribute:"solution", value:
"Apply Cumulative Patch v8 to Limbo 1.0.4.2.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(16, 89);
script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);
# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/limbo", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
magic = rand_str(length:12, charset:"0123456789");
exploit = string("-1 UNION SELECT 0,1,2,", magic, ",4,5,6,7,8,9,10,11--");
w = http_send_recv3(method:"GET",
item:string(
dir, "/index.php?",
"option=weblinks&",
"Itemid=2&",
"catid=", urlencode(str:exploit)
),
port:port
);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
res = w[2];
# There's a problem if...
if (
# we see our magic string and...
string('div class="componentheading" >', magic) >< res &&
# it looks like Limbo
egrep(pattern:"Site powered By <a [^>]+>Limbo CMS<", string:res)
)
{
security_warning(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}