Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2005-2022 Tenable Network Security, Inc.PHPBB_PHOTO_ALBUM_XSS.NASL
HistoryApr 14, 2005 - 12:00 a.m.

phpBB Photo Album Module <= 2.0.53 Multiple Vulnerabilities

2005-04-1400:00:00
This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.
www.tenable.com
28

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.005

Percentile

77.5%

JSON

The installed version of phpBB on the remote host includes a photo album module that has multiple vulnerabilities:

  • A SQL Injection Vulnerability An attacker can pass arbitrary SQL code through the ‘mode’ parameter of the ‘album_search.php’ script to manipulate database queries.

  • Various Cross-Site Scripting Vulnerabilities The application fails to properly sanitize user input through the ‘sid’ parameter of the ‘album_cat.php’ and ‘album_comment.php’ scripts. An attacker can exploit these flaws to cause arbitrary HTML and script code to be run in a user’s browser within the context of the affected website.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(18051);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2005-1114", "CVE-2005-1115");
  script_bugtraq_id(13157, 13158);

  script_name(english:"phpBB Photo Album Module <= 2.0.53 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The installed version of phpBB on the remote host includes a photo
album module that has multiple vulnerabilities:

  - A SQL Injection Vulnerability
    An attacker can pass arbitrary SQL code through the 'mode'
    parameter of the 'album_search.php' script to manipulate
    database queries.

  - Various Cross-Site Scripting Vulnerabilities
    The application fails to properly sanitize user input 
    through the 'sid' parameter of the 'album_cat.php' and
    'album_comment.php' scripts. An attacker can exploit
    these flaws to cause arbitrary HTML and script code to
    be run in a user's browser within the context of the
    affected website.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Apr/191");
  script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:phpbb_group:phpbb");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_MIXED_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");

  script_dependencies("phpbb_detect.nasl", "cross_site_scripting.nasl");
  script_require_keys("www/phpBB");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/phpBB"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  dir = matches[2];

  # If safe checks are enabled...
  if (safe_checks()) {
    # Get the main page.
    r = http_send_recv3(method:"GET",item:string(dir, "/album.php"), port:port);
    if (isnull(r)) exit(0);
    res = r[2];

    # And check the version number embedded in the page.
    if (egrep(
      string:res, 
      # version 2.0.53 and below may be vulnerable.
      # sample version strings:
      #   >Powered by Photo Album Addon 2 &copy; 2002-2003 <a href="http://smartor.is-root.com"
      #   >Powered by Photo Album Addon 2.0.5 &copy; 2002-2003 <a href="http://smartor.is-root.com"
      #   >Powered by Photo Album 2.0.51 &copy; 2002-2003 <a href="http://smartor.is-root.com"
      #   >Powered by Photo Album 2.0.53 &copy; 2002-2003 <a href="http://smartor.is-root.com"
      pattern:'>Powered by Photo Album (Addon )?([01].*|2|2\\.0\\.([0-4].*|5[0-3]?)) &copy; .+ <a href="http://smartor\\.is-root\\.com"', 
      icase:TRUE)
    ) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    }
  }
  # Otherwise...
  else {
    # Try the SQL injection first.
    r = http_send_recv3(method:"GET",
      item:string(
        dir, "/album_search.php?",
        "search=", SCRIPT_NAME, "&",
        # nb: this should just generate a syntax error. If you change this,
        #     also make sure to change the pattern below.
        "mode='NESSUS"
      ), 
      port:port
    );
    if (isnull(r)) exit(0);
    res = r[2];

    # There's a problem if we see a syntax error.
    if (egrep(string:res, pattern:"SQL Error : .+ LIKE '%NESSUS")) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }

    # If that failed to pick up anything, try to exploit the XSS flaws.
    if (get_kb_item("www/"+port+"/generic_xss")) exit(0);

    # A simple alert to display "Nessus was here".
    xss = "<script>alert('Nessus was here');</script>";
    # nb: the url-encoded version is what we need to pass in.
    exss = "%3Cscript%3Ealert('Nessus%20was%20here')%3B%3C%2Fscript%3E";
    exploits = make_list(
      "/album_cat.php?cat_id=1&sid='%22%3E" + exss,
      "/album_comment.php?pic_id=1&sid='%22%3E" + exss
    );

    foreach exploit (exploits) {
      r = http_send_recv3(method:"GET", item:string(dir, exploit), port:port);
      if (isnull(r)) exit(0);
      res = r[2];

      # There's a problem if we see our XSS.
      if (xss >< res) {
        security_hole(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
        exit(0);
      }
    }
  }
}

Related

nessus 1
cvelist 2
nvd 2
cve 2
nessus
nessus
phpBB2 Plus <= 1.52 Multiple XSS
2005-06-28 00:00:00
cvelist
cvelist
CVE-2005-1114
2005-04-16 04:00:00
CVE-2005-1115
2005-04-16 04:00:00
nvd
nvd
CVE-2005-1114
2005-05-02 04:00:00
CVE-2005-1115
2005-05-02 04:00:00
cve
cve
CVE-2005-1114
2005-05-02 04:00:00
CVE-2005-1115
2005-05-02 04:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.005

Percentile

77.5%

JSON
Related for PHPBB_PHOTO_ALBUM_XSS.NASL
nessus1cvelist2nvd2cve2