TUTOS < 1.2 Multiple Input Validation Vulnerabilities

2004-09-2100:00:00

www.tenable.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.153

Percentile

95.9%

JSON

The remote host is running Tutos, an open source team organization software package written in PHP.

The remote version of this software is vulnerable to multiple input validation flaws that could allow an authenticated user to perform a cross-site scripting attack or a SQL injection against the remote service.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(14784);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2003-0481", "CVE-2004-2161", "CVE-2004-2162");
  script_bugtraq_id(8011, 8012, 11221);

  script_name(english:"TUTOS < 1.2 Multiple Input Validation Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a PHP script that is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Tutos, an open source team 
organization software package written in PHP.

The remote version of this software is vulnerable to multiple 
input validation flaws that could allow an authenticated user to 
perform a cross-site scripting attack or a SQL injection against 
the remote service.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Tutos-1.2 or newer.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2003/06/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tutos:tutos");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.");

  script_dependencies("find_service1.nasl", "http_version.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

# Check starts here

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if ( ! can_host_php(port:port) ) exit(0,"The remote web server does not support PHP.");

foreach dir (make_list( cgi_dirs() )) 
 {
   res = http_send_recv3(method:"GET", item:dir + "/php/mytutos.php", port:port);
   if (isnull(res)) exit(0,"Null response to mytutos.php request.");
  if ( '"GENERATOR" content="TUTOS' >< res[2] &&
       egrep(pattern:".*GENERATOR.*TUTOS (0\..*|1\.[01]\.)", string:res[2]) )
	{
	 security_hole(port);
	 set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
	 set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
	 exit(0);
	}
 }