Noah's Classifieds <= 1.3 Multiple Vulnerabilities

2006-02-23T00:00:00
ID NOAHS_CLASSIFIEDS_13.NASL
Type nessus
Reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
Modified 2020-09-02T00:00:00

Description

The remote host is running Noah's Classifieds, a classified ads application written in PHP.

The installed version of Noah's Classifieds is reportedly affected by numerous remote and local file include, SQL injection, cross-site scripting, and information disclosure issues due to a general failure of the application to sanitize user-supplied input.

Note that successful exploitation of the file include flaws requires that PHP's 'register_globals' setting be enabled.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description) {
  script_id(20971);
  script_version("1.21");

  script_cve_id(
    "CVE-2006-0879", 
    "CVE-2006-0880", 
    "CVE-2006-0881", 
    "CVE-2006-0882"
  );
  script_bugtraq_id(16772, 16773, 16778, 16780);

  script_name(english:"Noah's Classifieds <= 1.3 Multiple Vulnerabilities");
  script_summary(english:"Checks for search page SQL injection flaw in Noah's Classifieds");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Noah's Classifieds, a classified ads
application written in PHP. 

The installed version of Noah's Classifieds is reportedly affected by
numerous remote and local file include, SQL injection, cross-site
scripting, and information disclosure issues due to a general failure
of the application to sanitize user-supplied input. 

Note that successful exploitation of the file include flaws requires
that PHP's 'register_globals' setting be enabled." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/425783/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Remove the application as it is no longer supported." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/23");
 script_cvs_date("Date: 2018/11/15 20:50:18");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe",value:"cpe:/a:phpoutsourcing:noahs_classifieds");
 script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, embedded: 0, php: 1);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/noahsclassifieds", "/classifieds", "/ads", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  res = http_get_cache(item:string(dir, "/index.php"), port:port, exit_on_fail: 1);

  # If the initial page looks like Noah's Classifieds...
  if (egrep(pattern:">Powered by <a [^>]+>Noah's Classifieds</a>", string:res)) {
    # Try to exploit the SQL injection flaw.
    bound = "nessus";
    boundary = string("--", bound);
    postdata = string(
      boundary, "\r\n",
      'Content-Disposition: form-data; name="method"', "\r\n",
      "\r\n",
      "create\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="list"', "\r\n",
      "\r\n",
      "classifiedssearch\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="fromlist"', "\r\n",
      "\r\n",
      "classifiedscategory\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="frommethod"', "\r\n",
      "\r\n",
      "showhtmllist\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="str"', "\r\n",
      "\r\n",
      "'", SCRIPT_NAME, "\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="cid"', "\r\n",
      "\r\n",
      "0\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="type"', "\r\n",
      "\r\n",
      "1\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="submit"', "\r\n",
      "\r\n",
      "Ok\r\n",

      boundary, "\r\n",
      'Content-Disposition: form-data; name="id"', "\r\n",
      "\r\n",
      "0\r\n",

      boundary, "--", "\r\n"
    );

    w = http_send_recv3(method:"POST", port: port, 
      item: dir+"/index.php?option=com_noah",
      content_type: "multipart/form-data; boundary="+bound,
      exit_on_fail: 1, data: postdata);
    res = w[2];

    # There's a problem if we see a SQL syntax error with our script name.
    #
    # nb: error messages happen even if 'display_errors' is off.
    if (egrep(pattern:string("an error in your SQL syntax.+ near '", SCRIPT_NAME), string:res)) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    }
  }
}