7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.025 Low
EPSS
Percentile
90.2%
The remote host is running WebAdmin, a web-based remote administration tool for Alt-N MDaemon.
According to its banner, the installed version of WebAdmin fails to properly filter directory traversal sequences from the ‘file’ parameter of the ‘logfile_view.wdm’ and ‘configfile_view.wdm’ scripts. A global administrator can leverage this issue to read and write to arbitrary files on the affected host, subject to the privileges of the web server user id, which in the case WebAdmin’s internal web server is used, is LOCAL SYSTEM.
In addition, the affected application also reportedly allows a domain administrator to edit the account of a global administrator, which can be leveraged to login as the global administrator by changing his password.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description) {
script_id(22257);
script_version("1.22");
script_cve_id("CVE-2006-4370", "CVE-2006-4371");
script_bugtraq_id(19620, 19631);
script_name(english:"WebAdmin < 3.2.5 Multiple Vulnerabilities");
script_summary(english:"Checks version of WebAdmin");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI application that is affected by
multiple issues." );
script_set_attribute(attribute:"description", value:
"The remote host is running WebAdmin, a web-based remote administration
tool for Alt-N MDaemon.
According to its banner, the installed version of WebAdmin fails to
properly filter directory traversal sequences from the 'file'
parameter of the 'logfile_view.wdm' and 'configfile_view.wdm' scripts.
A global administrator can leverage this issue to read and write to
arbitrary files on the affected host, subject to the privileges of the
web server user id, which in the case WebAdmin's internal web server
is used, is LOCAL SYSTEM.
In addition, the affected application also reportedly allows a domain
administrator to edit the account of a global administrator, which can
be leveraged to login as the global administrator by changing his
password." );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Aug/523" );
script_set_attribute(attribute:"see_also", value:"http://lists.altn.com/[email protected]@.eeb9cff" );
script_set_attribute(attribute:"solution", value:
"Upgrade to WebAdmin 3.2.5 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/08/23");
script_set_attribute(attribute:"vuln_publication_date", value: "2006/08/21");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 1000);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:1000);
# Get the version number from the initial page.
res = http_get_cache(item:"/", port:port, exit_on_fail: 1);
# There's a problem if ...
if (
# it looks like WebAdmin and ...
'<title>WebAdmin</title>' >< res &&
'<form name="waForm" action="login.wdm"' >< res &&
# it's version < 3.2.5
egrep(pattern:">WebAdmin</A> v([0-2]\..*|3\.([01]\..*|2\.[0-4])) ©", string:res)
) security_hole(port);