Vulnerabilities > CVE-2003-1238 - Unspecified vulnerability in Nuked-Klan

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
nuked-klan
nessus
exploit available

Summary

Cross-site scripting vulnerability (XSS) in Nuked-Klan 1.3 beta and earlier allows remote attackers to steal authentication information via cookies by injecting arbitrary HTML or script into op of the (1) Team, (2) News, and (3) Liens modules.

Exploit-Db

descriptionNuked-Klan 1.3 Multiple Cross Site Scripting Vulnerabilities. CVE-2003-1238. Webapps exploit for php platform
idEDB-ID:22276
last seen2016-02-02
modified2003-02-23
published2003-02-23
reportergregory Le Bras
sourcehttps://www.exploit-db.com/download/22276/
titleNuked-Klan 1.3 - Multiple Cross-Site Scripting Vulnerabilities

Nessus

  • NASL familyCGI abuses
    NASL idNUKED_CLAN_CMD_EXEC.NASL
    descriptionIt is possible to execute arbitrary PHP code on the remote host using a flaw in the
    last seen2020-06-01
    modified2020-06-02
    plugin id11282
    published2003-02-28
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11282
    titleNuked-Klan 1.2b Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Ref:
    # Message-ID: <[email protected]>
    # From: "Gregory" Le Bras <[email protected]>
    # To: [email protected]
    # Subject: [SCSA-006] XSS & Function
    #
    # We don't check for all the listed BIDs since no patch has
    # ever been made (ie: vulnerable to one => vulnerable to all)
    
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11282);
     script_version ("1.33");
     script_cve_id("CVE-2003-1238", "CVE-2003-1370", "CVE-2003-1371");
     script_bugtraq_id(6697, 6699, 6700, 6916, 6917);
    
     script_name(english:"Nuked-Klan 1.2b Multiple Vulnerabilities");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that is affected by
    multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "It is possible to execute arbitrary PHP code on the remote host using
    a flaw in the 'Nuked Klan' package.  An attacker may leverage this
    flaw to leak information about the remote system or even execute
    arbitrary commands. 
    
    In addition to this problem, this service is vulnerable to various
    cross-site scripting attacks." );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Mar/265" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Mar/278" );
     script_set_attribute(attribute:"solution", value:
    "Contact the author for a patch." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_cwe_id(79);
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/02/28");
     script_cvs_date("Date: 2018/11/15 20:50:18");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_summary(english:"Executes phpinfo()");
     script_category(ACT_ATTACK);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english:"CGI abuses");
     script_dependencie("http_version.nasl");
     script_require_ports("Services/www", 80);
     script_exclude_keys("Settings/disable_cgi_scanning");
     script_require_keys("www/PHP");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80, embedded: 0, php: 1);
    
    function check(loc, module)
    {
     local_var	url, w, r, report;
    
     if (! loc && report_paranoia < 2) return;	# Might generate a FP
    
     url = strcat(loc, "/index.php?file=", module, "&op=phpinfo");
     w = http_send_recv3(method:"GET", item: url, port:port, exit_on_fail: 1);
     r = strcat(w[0], w[1], '\r\n', w[2]);
     if("allow_call_time_pass_reference" >< r){
            report = string(
              "A vulnerable instance of Nuke Clan can be found at the following URL :\n",
              "\n",
              "  ", build_url(port:port, qs:url), "\n"
            );
     	security_warning(port:port, extra:report);
    	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    	exit(0);
      }
    }
    
    dirs = list_uniq(make_list("/nuked-clan", "/clan-nic", "/klan", "/clan", cgi_dirs()));
    
    
    foreach dir (dirs)
    {
     check(loc:dir, module:"News");
     #check(loc:dir, module:"Team");
     #check(loc:dir, module:"Lien");
    }
    
  • NASL familyCGI abuses
    NASL idNUKED_KLAN_XSS.NASL
    descriptionThe instance of Nuked-klan running on the remote web server is affected by multiple vulnerabilities due to a failure to sanitize user-supplied input to several parameters before using them in the
    last seen2020-06-01
    modified2020-06-02
    plugin id11447
    published2003-03-23
    reporterThis script is Copyright (C) 2003-2018 k-otik.com
    sourcehttps://www.tenable.com/plugins/nessus/11447
    titleNuked-Klan index.php Multiple Module Vulnerabilities
    code
    #
    # This test was rewritten by Tenable Network Security, Inc.
    #
    #  Message-ID: <[email protected]>
    #  From: Ertan Kurt <mailto:[email protected]>
    #  To: <[email protected]>
    #  Subject: Some XSS vulns
    #
    
    # Changes by Tenable:
    # - Revised plugin title (3/27/2009)
    # - Changed family (5/21/2009)
    # - Added response request and output in report. Modernized the descriptive text. (7/2016)
    
    include("compat.inc");
    
    if (description)
    {
      script_id(11447);
      script_version("1.40");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2003-1238", "CVE-2003-1371");
      script_bugtraq_id(6916, 6917);
      script_xref(name:"EDB-ID", value:"22276");
    
      script_name(english:"Nuked-Klan index.php Multiple Module Vulnerabilities");
      script_summary(english:"Determine if Nuked-klan is vulnerable to an XSS attack.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The instance of Nuked-klan running on the remote web server is
    affected by multiple vulnerabilities due to a failure to sanitize
    user-supplied input to several parameters before using them in the
    'Team', 'News', and 'Liens' modules to display dynamic HTML. An
    unauthenticated, remote attacker can exploit these issues to execute
    arbitrary script code in a user's browser session.
    
    Additionally, an information disclosure vulnerability exists that
    allows a remote attacker to disclose the physical path of the
    directory in which the application is installed; however, Nessus did
    not test for this.");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2003/Feb/319");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2003/Mar/265");
      script_set_attribute(attribute:"solution", value:"Contact the author for a patch.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(79);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/23");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:nuked-klan:nuked-klan");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2003-2020 k-otik.com");
    
      script_dependencie("http_version.nasl", "cross_site_scripting.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_keys("www/PHP");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("http_func.inc");
    include("http_keepalive.inc");
    
    port = get_http_port(default:80, embedded:TRUE);
    
    if (get_kb_item("www/"+port+"/generic_xss"))
      exit(0, "The web server on port "+port+" is vulnerable to XSS.");
    
    xss_pat = "<script>window.alert('test');</script>";
    
    foreach d (cgi_dirs())
    {
      url = d + "/index.php?file=Liens&op=" + raw_string(0x22) + "><script>window.alert('test');</script>";
      req = http_get(item:url, port:port);
      buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
      if( buf == NULL ) exit(0, "An empty response was received from the web server on port", port);
    
      if(ereg(pattern:"^HTTP/[0-9]\.[0-9] +200 .*", string:buf) &&
        xss_pat >< buf)
      {
        output = strstr(buf, xss_pat);
        if (isnull(output)) output = buf;
    
        security_report_v4(
          port     : port,
          severity : SECURITY_WARNING,
          generic  : TRUE,
          request  : make_list(build_url(qs:url, port:port)),
          output   : output,
          xss      : TRUE
        );
        exit(0);
      }
    }
    exit(0, "The web server on port "+port+" is not affected.");