7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.049 Low
EPSS
Percentile
92.8%
The remote host is running PHP-Update, a content management system written in PHP.
The version of PHP-Update installed on the remote host fails to sanitize user-supplied arguments to the ‘blog.php’ script before importing them into the global symbol table. By leveraging this flaw, an unauthenticated, remote attacker can gain control of the application and possibly execute arbitrary code on the remote host, subject to the permissions of the web server user id.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(23927);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-6661");
script_bugtraq_id(21658);
script_xref(name:"EDB-ID", value:"2953");
script_name(english:"PHP-Update blog.php Variable Overwriting Arbitrary Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a data
modification vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running PHP-Update, a content management system
written in PHP.
The version of PHP-Update installed on the remote host fails to
sanitize user-supplied arguments to the 'blog.php' script before
importing them into the global symbol table. By leveraging this flaw,
an unauthenticated, remote attacker can gain control of the application
and possibly execute arbitrary code on the remote host, subject to the
permissions of the web server user id.");
script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/20");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:php-update:php-update");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Loop through directories.
if (thorough_tests) dirs = list_uniq("/phpupdate", "/phpu", cgi_dirs());
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
init_cookiejar();
erase_http_cookie(name: "blogcookie[user]"); # In case it already exists
# If we can overwrite the variables, this request will set a cookie.
r = http_send_recv3(method: "GET",
item: string(
dir, "/blog.php?",
"f=&",
"newmessage=&",
"newremember=1&",
"adminuser=1&",
"newusername=", SCRIPT_NAME
),
port:port
);
if (isnull(r)) exit(0);
# There's a problem if we could set the user cookie.
val = get_http_cookie(name: "blogcookie[user]");
if (SCRIPT_NAME >< val) {
security_hole(port);
exit(0);
}
}
Vendor | Product | Version | CPE |
---|---|---|---|
php-update | php-update | cpe:/a:php-update:php-update |