PHPFusion <= 9.10.30 Multiple Vulnerabilities

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:php-fusion:php-fusion";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.126503");
  script_version("2024-04-09T05:05:38+0000");
  script_tag(name:"last_modification", value:"2024-04-09 05:05:38 +0000 (Tue, 09 Apr 2024)");
  script_tag(name:"creation_date", value:"2023-10-05 10:22:35 +0000 (Thu, 05 Oct 2023)");
  script_tag(name:"cvss_base", value:"9.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-09-08 17:27:00 +0000 (Fri, 08 Sep 2023)");

  script_cve_id("CVE-2023-2453", "CVE-2023-4480");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"NoneAvailable");

  script_name("PHPFusion <= 9.10.30 Multiple Vulnerabilities");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("secpod_php_fusion_detect.nasl");
  script_mandatory_keys("php-fusion/detected");

  script_tag(name:"summary", value:"PHPFusion is prone to multiple vulnerabilities.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The following vulnerabilities exist:

  - CVE-2023-2453: Insufficient sanitization of tainted file names that are directly concatenated
  with a path that is subsequently passed to a 'require_once' statement. This allows arbitrary
  files with the '.php' extension for which the absolute path is known to be included and executed.

  - CVE-2023-4480: Due to an out-of-date dependency in the 'Fusion File Manager' component
  accessible through the admin panel, an attacker can send a crafted request that allows them to
  read the contents of files on the system accessible within the privileges of the running process.
  Additionally, they may write files to arbitrary locations, provided the files pass the
  application's mime-type and file extension validation.");

  script_tag(name:"affected", value:"PHPFusion version 9.10.30 and prior.");

  script_tag(name:"solution", value:"No known solution is available as of 08th April, 2024.
  Information regarding this issue will be updated once solution details are available.");

  script_xref(name:"URL", value:"https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453.html");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less_equal(version: version, test_version: "9.10.30")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "None", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);