CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
73.8%
The version of the Site Documentation third-party module for Drupal installed on the remote host allows any user with ‘access content’ permission to retrieve the contents of arbitrary tables in the application’s database. An attacker can exploit this issue to retrieve sensitive information, such as usernames, password hashes, email addresses, and active SESSION IDs.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(32325);
script_version("1.23");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2008-2271");
script_bugtraq_id(29242);
script_xref(name:"SECUNIA", value:"30257");
script_name(english:"Site Documentation Module for Drupal Database Tables Access Content Permission Information Disclosure");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
an information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of the Site Documentation third-party module for Drupal
installed on the remote host allows any user with 'access content'
permission to retrieve the contents of arbitrary tables in the
application's database. An attacker can exploit this issue to retrieve
sensitive information, such as usernames, password hashes, email
addresses, and active SESSION IDs.");
script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/node/258547");
script_set_attribute(attribute:"solution", value:
"Upgrade to Site Documentation 5.x-1.8 / 6.x-1.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(264);
script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/14");
script_set_attribute(attribute:"patch_publication_date", value:"2008/05/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:site_documentation_module");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("drupal_detect.nasl");
script_require_keys("installed_sw/Drupal", "www/PHP");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "Drupal";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:80, php:TRUE);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(qs:dir, port:port);
# Grab info from a table.
#
# nb: "sessions" may also be of interest.
table = "users";
url = '/?q=sitedoc/table/'+table;
r = http_send_recv3(method: "GET", item:dir+url, port:port, exit_on_fail:TRUE);
# There's a problem if we see the table's contents.
if (
(
"Table Contents | " >< r[2] ||
" Table Contents</h2>" >< r[2]
) &&
'sort=desc&order=' >< r[2] && 'tbody>' >< r[2]
)
{
output = strstr(r[2], '<tbody>');
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(install_url + url),
output : chomp(output)
);
exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);