Vulnerabilities > CVE-2001-0437 - Remote Command Execution vulnerability in DCForum 'AZ' Field

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

dcscripts

nessus

NVD

Published: 2001-07-02

Updated: 2017-12-19

Summary

upload_file.pl in DCForum 2000 1.0 allows remote attackers to upload arbitrary files without authentication by setting the az parameter to upload_file.

Vulnerable Configurations

Part	Description	Count
Application	Dcscripts Dcscripts Dcforum 1.0 Dcscripts Dcforum 2.0 Dcscripts Dcforum 3.0 Dcscripts Dcforum 4.0 Dcscripts Dcforum 5.0 Dcscripts Dcforum 6.0 Dcscripts Dcforum 2000 1.0	7

Nessus

NASL family	CGI abuses
NASL id	DCFORUM.NASL
description	The DCForum dcboard.cgi script is installed. This CGI has some well known security flaws, including one that lets an attacker execute arbitrary commands with the privileges of the web server.
last seen	2020-06-01
modified	2020-06-02
plugin id	10583
published	2000-12-29
reporter	This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10583
title	DCForum dcboard.cgi Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10583); script_version ("1.33"); script_cve_id("CVE-2001-0436", "CVE-2001-0437"); script_bugtraq_id(2611); script_name(english:"DCForum dcboard.cgi Multiple Vulnerabilities"); script_summary(english:"Checks for the presence of /cgi-bin/dcforum"); script_set_attribute( attribute:"synopsis", value: "The remote web server is hosting a CGI known to have multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The DCForum dcboard.cgi script is installed. This CGI has some well known security flaws, including one that lets an attacker execute arbitrary commands with the privileges of the web server." ); # https://web.archive.org/web/20020227074916/http://archives.neohapsis.com/archives/bugtraq/2001-04/0269.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?92384774" ); script_set_attribute( attribute:"solution", value:"Remote this script from /cgi-bin." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/12/29"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/03/31"); script_cvs_date("Date: 2018/06/13 18:56:26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); dirs = list_uniq(make_list('/dcforum', cgi_dirs())); foreach dir (dirs) { url = string( dir, "/dcforum.cgi?az=list&forum=../../../../../../../etc/passwd%00" ); r = http_send_recv3(method:"GET", item:url, port:port); if (isnull(r)) exit(0); if(egrep(pattern:".root:.:0:[01]:.*", string:r[2])) { security_hole(port); exit(0); } }

Summary

Vulnerable Configurations

Nessus

References