Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2004-2024 Tenable Network Security, Inc.POSTNUKE_BACKDOOR.NASL
HistoryOct 26, 2004 - 12:00 a.m.

PostNuke Trojaned Distribution

2004-10-2600:00:00
This script is Copyright (C) 2004-2024 Tenable Network Security, Inc.
www.tenable.com
18

8.4 High

AI Score

Confidence

Low

JSON

The remote host seems to be running a copy of a trojaned version of the β€˜PostNuke’ content management system.

PostNuke is a content management system in PHP whose main website has been compromised between the 24th and 26th of October 2004. An attacker modified some of the source code of the tool to execute arbitrary commands remotely on the remote host, by passing arguments to the β€˜oops’ parameter of the file pnAPI.php.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(15570);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");
  script_bugtraq_id(11529);

  script_name(english:"PostNuke Trojaned Distribution");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary commands can be run on the remote server.");
  script_set_attribute(attribute:"description", value:
"The remote host seems to be running a copy of a trojaned version of the
'PostNuke' content management system.

PostNuke is a content management system in PHP whose main website has
been compromised between the 24th and 26th of October 2004. An attacker
modified some of the source code of the tool to execute arbitrary 
commands remotely on the remote host, by passing arguments to the 'oops'
parameter of the file pnAPI.php.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the latest version of PostNuke.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postnuke_software_foundation:postnuke");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Backdoors");

  script_copyright(english:"This script is Copyright (C) 2004-2024 Tenable Network Security, Inc.");

  script_dependencies("postnuke_detect.nasl");
  script_require_keys("www/postnuke");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);

kb = get_kb_item("www/" + port + "/postnuke" );
if ( ! kb ) exit(0);
stuff = eregmatch(pattern:"(.*) under (.*)", string:kb );
dir = stuff[2];
if(!can_host_php(port:port))exit(0);

u = string(dir, "/includes/pnAPI.php?oops=id");
r = http_send_recv3(port: port, item: u, method: "GET");
if (isnull(r)) exit(0);
res = r[0]+r[1]+'\r\n'+r[2];
if (egrep(pattern:"uid=[0-9].*gid=[0-9]", string:res) ) 
  security_hole(port, extra: strcat('\nThe id command could be run through the following URL :\n\n', build_url(port: port, qs: u), '\n'));
VendorProductVersionCPE
postnuke_software_foundationpostnukecpe:/a:postnuke_software_foundation:postnuke

8.4 High

AI Score

Confidence

Low

JSON