Vulnerabilities > CVE-2003-1086 - Remote Security vulnerability in Pmachine Free and Pmachine PRO

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
pmachine
nessus
exploit available

Summary

PHP remote file inclusion vulnerability in pm/lib.inc.php in pMachine Free and pMachine Pro 2.2 and 2.2.1 allows remote attackers to execute arbitrary PHP code by modifying the pm_path parameter to reference a URL on a remote web server that contains the code.

Vulnerable Configurations

Part Description Count
Application
Pmachine
3

Exploit-Db

descriptionPMachine 2.2.1 Lib.Inc.PHP Remote Include Command Execution Vulnerability. CVE-2003-1086. Webapps exploit for php platform
idEDB-ID:22776
last seen2016-02-02
modified2003-06-15
published2003-06-15
reporterfrog
sourcehttps://www.exploit-db.com/download/22776/
titlePMachine 2.2.1 Lib.Inc.PHP Remote Include Command Execution Vulnerability

Nessus

NASL familyCGI abuses
NASL idPMACHINE_CODE_INJECTION.NASL
descriptionIt is possible to make the remote host include PHP files hosted on a third-party server using the pmachine CGI suite which is installed. An attacker may use this flaw to inject arbitrary code in the remote host and gain a shell with the privileges of the web server.
last seen2020-06-01
modified2020-06-02
plugin id11739
published2003-06-16
reporterThis script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11739
titlepMachine lib.inc.php pm_path Parameter Remote File Inclusion
code
#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if(description)
{
  script_id(11739);
  script_version ("1.20");
  script_cve_id("CVE-2003-1086");
  script_bugtraq_id(7919);

  script_name(english:"pMachine lib.inc.php pm_path Parameter Remote File Inclusion");
  script_summary(english:"Checks for the presence of lib.inc.php");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be run on the remote server." );
  script_set_attribute(attribute:"description", value:
"It is possible to make the remote host include PHP files hosted on a
third-party server using the pmachine CGI suite which is installed.

An attacker may use this flaw to inject arbitrary code in the remote
host and gain a shell with the privileges of the web server." );
  script_set_attribute(attribute:"solution", value:"Upgrade to the latest version." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-1086");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_publication_date", value: "2003/06/16");
  script_set_attribute(attribute:"vuln_publication_date", value: "2003/06/15");
  script_cvs_date("Date: 2019/06/03 10:01:42");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CGI abuses");

  script_dependencie("webmirror.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!can_host_php(port:port))exit(0);



function check(loc)
{
 local_var r, res, u;
 u = string(loc, "/lib.inc.php?pm_path=http://example.com&sfx=.txt");
 r = http_send_recv3(method: "GET", port: port, item: u);
 if (isnull(r)) exit(0);
 res = strcat(r[0], r[1], '\r\n', r[2]);
 if(egrep(pattern:".*http://example.com//?config\.txt", string: res))
 {
 	security_hole(port, extra:
strcat('\nTry the following URL :\n\n', build_url(port: port, qs: u), '\n'));
	exit(0);
 }
}



foreach dir (cgi_dirs())
{
 check(loc:dir);
}