Vulnerabilities > CVE-2003-0536 - Unspecified vulnerability in PHPsysinfo 2.0/2.1
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
PARTIAL Summary
Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via .. (dot dot) sequences in the (1) template or (2) lng parameters.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | PHPSysInfo 2.0/2.1 Index.PHP LNG File Disclosure Vulnerability. CVE-2003-0536. Webapps exploit for php platform |
| id | EDB-ID:22459 |
| last seen | 2016-02-02 |
| modified | 2003-04-04 |
| published | 2003-04-04 |
| reporter | Albert Puigsech Galicia |
| source | https://www.exploit-db.com/download/22459/ |
| title | PHPSysInfo 2.0/2.1 Index.PHP LNG File Disclosure Vulnerability |
Nessus
NASL family CGI abuses NASL id PHPSYSINFO_241.NASL description The remote host is running phpSysInfo, a PHP application that parses the /proc entries on Linux/Unix systems and displays them in HTML. The installed version of phpSysInfo on the remote host has a design flaw in its globalization layer such that the script last seen 2020-06-01 modified 2020-06-02 plugin id 20215 published 2005-11-16 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20215 title phpSysInfo < 2.4.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20215); script_version("1.20"); script_cve_id( "CVE-2003-0536", "CVE-2005-0870", "CVE-2005-3347", "CVE-2005-3348" ); script_bugtraq_id(7286, 15396, 15414); script_name(english:"phpSysInfo < 2.4.1 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in phpSysInfo < 2.4.1"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running phpSysInfo, a PHP application that parses the /proc entries on Linux/Unix systems and displays them in HTML. The installed version of phpSysInfo on the remote host has a design flaw in its globalization layer such that the script's variables can be overwritten independent of PHP's 'register_globals' setting. By exploiting this issue, an attacker may be able to read arbitrary files on the remote host and even execute arbitrary PHP code, both subject to the privileges of the web server user id. In addition, the application fails to sanitize user-supplied input before using it in dynamically-generated pages, which can be used to conduct cross-site scripting and HTTP response splitting attacks." ); script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_222005.81.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to phpSysInfo 2.4.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(22, 352); script_set_attribute(attribute:"plugin_publication_date", value: "2005/11/16"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpsysinfo:phpsysinfo"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/phpsysinfo", "/phpSysInfo", "/sysinfo", cgi_dirs())); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { # Try to exploit some of the flaws. r = http_send_recv3(method: "GET", port: port, item:string( dir, "/index.php?", # if successful, output will have the footer repeated. "lng=../system_footer&", # if successful, output will complain about an invalid sensor program. "sensor_program=", SCRIPT_NAME)); if (isnull(r)) exit(0); res = r[2]; # There's a problem if we overwrote $sensor_program. if (string("<center><b>Error: ", SCRIPT_NAME, " is not currently supported</b></center>") >< res) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } # Alternatively, there's a problem if it looks like phpSysInfo and... if ("phpSysInfo-" >< res || "Created By: phpSysInfo" >< res) { # there are two footers. footer = "</html>"; post_footer = strstr(res, footer); if (post_footer) { post_footer = post_footer - footer; if (strstr(post_footer, footer)) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-346.NASL description Albert Puigsech Galicia reported that phpsysinfo, a web-based program to display status information about the system, contains two vulnerabilities which could allow local files to be read, or arbitrary PHP code to be executed, under the privileges of the web server process (usually www-data). These vulnerabilities require access to a writable directory on the system in order to be exploited. last seen 2020-06-01 modified 2020-06-02 plugin id 15183 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15183 title Debian DSA-346-1 : phpsysinfo - directory traversal code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-346. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15183); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0536"); script_bugtraq_id(7275, 7286); script_xref(name:"DSA", value:"346"); script_name(english:"Debian DSA-346-1 : phpsysinfo - directory traversal"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Albert Puigsech Galicia reported that phpsysinfo, a web-based program to display status information about the system, contains two vulnerabilities which could allow local files to be read, or arbitrary PHP code to be executed, under the privileges of the web server process (usually www-data). These vulnerabilities require access to a writable directory on the system in order to be exploited." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/200543" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-346" ); script_set_attribute( attribute:"solution", value: "For the stable distribution (woody) this problem has been fixed in version 2.0-3woody1. We recommend that you update your phpsysinfo package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpsysinfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/07/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"phpsysinfo", reference:"2.0-3woody1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
| data source | https://packetstormsecurity.com/files/download/41530/advisory_212005.81.txt |
| id | PACKETSTORM:41530 |
| last seen | 2016-12-05 |
| published | 2005-11-15 |
| reporter | Christopher Kunz |
| source | https://packetstormsecurity.com/files/41530/Hardened-PHP-Project-Security-Advisory-2005-21.81.html |
| title | Hardened-PHP Project Security Advisory 2005-21.81 |