Vulnerabilities > CVE-2001-0854 - Unspecified vulnerability in Francisco Burzi PHP-Nuke 5.2

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
francisco-burzi
nessus
NVD
Published: 2001-12-06
Updated: 2016-10-18

Summary

PHP-Nuke 5.2 allows remote attackers to copy and delete arbitrary files by calling case.filemanager.php with admin.php as an argument, which sets the $PHP_SELF variable and makes it appear that case.filemanager.php is being called by admin.php instead of the user.

Vulnerable Configurations

Part Description Count
Application
Francisco_Burzi
1

Nessus

NASL familyCGI abuses
NASL idPHP_NUKE_INSTALLED.NASL
descriptionThe remote host is running a copy of PHP-Nuke. Given the insecurity history of this package, the Nessus team recommends that you do not use it but use something else instead, as security was clearly not in the mind of the persons who wrote it. The author of PHP-Nuke (Francisco Burzi) even started to rewrite the program from scratch, given the huge number of vulnerabilities
last seen2020-06-02
modified2003-02-17
plugin id11236
published2003-02-17
reporterThis script is Copyright (C) 2003-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11236
titlePHP-Nuke Detection
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11236);
 script_version ("1.39");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");

 script_cve_id(
  "CVE-2001-0292",
  "CVE-2001-0320",
  "CVE-2001-0854",
  "CVE-2001-0911",
  "CVE-2001-1025",
  "CVE-2002-0206",
  "CVE-2002-0483",
  "CVE-2002-1242",
  "CVE-2003-1400",
  "CVE-2003-1435"
 );
 script_bugtraq_id(
  6446,
  6465,
  6503,
  6750,
  6887,
  6890,
  7031,
  7060,
  7078,
  7079
 );

 script_name(english:"PHP-Nuke Detection");
 script_summary(english:"Determines if PHP-Nuke is installed on the remote host");

 script_set_attribute(attribute:"synopsis", value:
"A remote web application might be affected by several vulnerabilities.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a copy of PHP-Nuke.

Given the insecurity history of this package, the Nessus team
recommends that you do not use it but use something else instead, as
security was clearly not in the mind of the persons who wrote it. 

The author of PHP-Nuke (Francisco Burzi) even started to rewrite the
program from scratch, given the huge number of vulnerabilities");
 script_set_attribute(attribute:"see_also", value:"https://www.phpnuke.org/modules.php?name=News&file=article&sid=5640");
 script_set_attribute(attribute:"solution", value:
"De-install this package and use something else.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(79, 89);

 script_set_attribute(attribute:"plugin_publication_date", value:"2003/02/17");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:phpnuke:php-nuke");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2003-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_dependencie("webmirror.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8080, php: 1);

function check(loc)
{
 local_var r;

 loc += '/';
 r = http_send_recv3(method:"GET", item:string(loc), port:port, follow_redirect: 2, exit_on_fail: TRUE);
 if("PHP-Nuke" ><r[2] &&
    egrep(pattern:"GENERATOR.*PHP-Nuke.*", string:r[2]))
	{
	if ( ! loc ) loc = "/";
	set_kb_item(name:"www/" + port + "/php-nuke", value:"unknown under " + loc);
	set_kb_item(name:"www/php-nuke", value: TRUE);
	return(1);
	}
 else 
	return(0);
}

 
foreach dir (cgi_dirs())
{
if(check(loc:string(dir))){ security_hole(port); exit(0); }
}

exit(0, "PHP-Nuke was not found on the web server on port "+port+".");

References