Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2022 Tenable Network Security, Inc.SPIP_SQL_INJECTION.NASL
HistoryFeb 25, 2006 - 12:00 a.m.

SPIP < 1.8.2-g Multiple Vulnerabilities

2006-02-2500:00:00
This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.
www.tenable.com
19
JSON

The remote host is running SPIP, an open source CMS written in PHP.

The remote version of this software is prone to SQL injection and cross-site scripting attacks. An attacker could send specially crafted URL to modify SQL requests, for example, to obtain the admin password hash, or execute malicious script code on the remote system.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20978);
  script_version("1.27");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2006-0517", "CVE-2006-0518", "CVE-2006-0519");
  script_bugtraq_id(16458, 16461);

  script_name(english:"SPIP < 1.8.2-g Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server has a PHP application that is affected by
multiple flaws.");
  script_set_attribute(attribute:"description", value:
"The remote host is running SPIP, an open source CMS written in PHP. 

The remote version of this software is prone to SQL injection and
cross-site scripting attacks.  An attacker could send specially
crafted URL to modify SQL requests, for example, to obtain the admin
password hash, or execute malicious script code on the remote system.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/423655/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Jan/993");
  script_set_attribute(attribute:"solution", value:
"Upgrade to SPIP version 1.8.2-g or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:spip:spip");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

#
# the code
#

 include("global_settings.inc");
 include("http_func.inc");
 include("http_keepalive.inc");
 include("misc_func.inc");

 port = get_http_port(default:80, embedded:TRUE);
 if (get_kb_item("Services/www/"+port+"/embedded")) exit(0);
 if (!can_host_php(port:port) ) exit(0);

 # Check a few directories.
 if (thorough_tests) dirs = list_uniq(make_list("/spip", cgi_dirs()));
 else dirs = make_list(cgi_dirs());

 foreach dir (dirs)
 { 
  files=make_list("forum.php3", "forum.php");
  foreach file (files)
  {
        magic = rand();
	req = http_get(item:string(dir,"/",file,'?id_article=1&id_forum=-1/**/UNION/**/SELECT%20', magic, '--'), port:port);
        res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
        if (res == NULL) exit(0);

        if (string('value="&gt; ', magic, '" class="forml"') >< res) {
          security_hole(port);
	  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	  set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
	  exit(0);
	}
  }
}
VendorProductVersionCPE
spipspipcpe:/a:spip:spip

Related

openvas 2
prion 3
debiancve 3
cve 3
openvas
openvas
SPIP < 1.8.2-g SQL Injection and XSS Flaws
2006-03-26 00:00:00
SPIP < 1.8.2-g SQL Injection and XSS Flaws
2006-03-26 00:00:00
prion
prion
Sql injection
2006-02-02 11:02:00
Cross site scripting
2006-02-02 11:02:00
Design/Logic Flaw
2006-02-02 11:02:00
debiancve
debiancve
CVE-2006-0518
2006-02-02 11:02:00
CVE-2006-0517
2006-02-02 11:02:00
CVE-2006-0519
2006-02-02 11:02:00
cve
cve
CVE-2006-0519
2006-02-02 11:02:00
CVE-2006-0517
2006-02-02 11:02:00
CVE-2006-0518
2006-02-02 11:02:00
JSON
Related for SPIP_SQL_INJECTION.NASL
openvas2prion3debiancve3cve3