Vulnerabilities > CVE-2003-0394 - Remote File Include vulnerability in Blnews 2.1.3

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
blnews
nessus
exploit available

Summary

objects.inc.php4 in BLNews 2.1.3 allows remote attackers to execute arbitrary PHP code via a Server[path] parameter that points to malicious code on an attacker-controlled web site.

Vulnerable Configurations

Part Description Count
Application
Blnews
1

Exploit-Db

descriptionBLNews 2.1.3 Remote File Include Vulnerability. CVE-2003-0394. Webapps exploit for php platform
idEDB-ID:22641
last seen2016-02-02
modified2003-05-24
published2003-05-24
reporterOver_G
sourcehttps://www.exploit-db.com/download/22641/
titleBLNews 2.1.3 - Remote File Include Vulnerability

Nessus

NASL familyCGI abuses
NASL idBLNEWS_CODE_INJECTION.NASL
descriptionIt is possible to make the remote host include remote PHP files using the BLnews CGI suite. A remote attacker may exploit this to execute arbitrary code with the privileges of the web server.
last seen2020-06-01
modified2020-06-02
plugin id11647
published2003-05-27
reporterThis script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11647
titleBLNews objects.inc.php4 Server[path] Parameter Remote File Inclusion
code
#
# (C) Tenable Network Security, Inc.
#

# Ref:
#
# Date: Thu, 22 May 2003 14:42:13 +0400
# From: Over_G <[email protected]>
# To: [email protected]
# Subject: PHP source code injection in BLNews


include("compat.inc");


if(description)
{
  script_id(11647);
  script_bugtraq_id(7677);
  script_cve_id("CVE-2003-0394");
  script_version ("1.28");
  script_xref(name:"Secunia", value:"8864");

  script_name(english:"BLNews objects.inc.php4 Server[path] Parameter Remote File Inclusion");
  script_summary(english:"Checks for the presence of objects.inc.php4");

  script_set_attribute(attribute:"synopsis", value:
"The remote web application has a remote code execution vulnerability." );
  script_set_attribute( attribute:"description", value:
"It is possible to make the remote host include remote PHP files
using the BLnews CGI suite.

A remote attacker may exploit this to execute arbitrary code with
the privileges of the web server." );

  script_set_attribute(attribute:"see_also", value:"http://marc.info/?l=bugtraq&m=105379530927567&w=2");

  script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of BLNews.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:W/RC:X");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0394");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/27");
  script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/24");
  script_cvs_date("Date: 2019/06/03 10:01:42");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencie("find_service1.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if(!can_host_php(port:port)) exit(0);



function check(loc)
{
 local_var r, w;
 w = http_send_recv3(item:string(loc, "/admin/objects.inc.php4?Server[path]=http://example.com&Server[language_file]=nessus.php"),
 		method:"GET", port:port);			
 if (isnull(w)) exit(0);
 r = strcat(w[0], w[1], '\r\n', w[2]);
 if(egrep(pattern:".*http://example.com/admin/nessus\.php", string:r))
 {
 	security_hole(port);
	exit(0);
 }
}



dirs = make_list(cgi_dirs());


foreach dir (dirs)
{
 check(loc:dir);
}