CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
78.5%
The remote version of Episodex Guestbook contains an input
validation flaw leading to the execution on attacker supplied HTML and script code. In addition an
unauthenticated remote attacker can directly access administrator functions.
# SPDX-FileCopyrightText: 2005 Josh Zlatin-Amishav
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.18362");
script_version("2024-06-13T05:05:46+0000");
script_tag(name:"last_modification", value:"2024-06-13 05:05:46 +0000 (Thu, 13 Jun 2024)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_cve_id("CVE-2005-1684", "CVE-2005-1685");
script_name("Episodex Guestbook Unauthorized Access and HTML Injection Vulnerability");
script_category(ACT_GATHER_INFO);
script_family("Web application abuses");
script_copyright("Copyright (C) 2005 Josh Zlatin-Amishav");
script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl",
"DDI_Directory_Scanner.nasl", "global_settings.nasl",
"gb_microsoft_iis_http_detect.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_xref(name:"URL", value:"https://web.archive.org/web/20210218031327/http://www.securityfocus.com/bid/13692");
script_xref(name:"URL", value:"https://web.archive.org/web/20210206162503/http://www.securityfocus.com/bid/13693");
script_tag(name:"summary", value:"The remote version of Episodex Guestbook contains an input
validation flaw leading to the execution on attacker supplied HTML and script code. In addition an
unauthenticated remote attacker can directly access administrator functions.");
script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");
script_tag(name:"solution", value:"No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
options are to upgrade to a newer release, disable respective features, remove the product or
replace the product by another one.");
script_tag(name:"qod_type", value:"remote_analysis");
script_tag(name:"solution_type", value:"WillNotFix");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");
port = http_get_port(default:80);
if(!http_can_host_asp(port:port))
exit(0);
foreach dir(make_list_unique("/", http_cgi_dirs(port:port))) {
if(dir == "/")
dir = "";
url = dir + "/admin.asp";
res = http_get_cache(item:url, port:port);
if(!res)
continue;
if('Save Configuration' >< res && 'powered by Sven Moderow\'s GuestBook' >< res) {
report = http_report_vuln_url(port:port, url:url);
security_message(port:port, data:report);
exit(0);
}
}
exit(99);