Vulnerabilities > CVE-2003-1239 - Unspecified vulnerability in Wihphoto 0.86

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
wihphoto
nessus
exploit available
NVD
Published: 2003-12-31
Updated: 2008-09-05

Summary

Directory traversal vulnerability in sendphoto.php in WihPhoto 0.86 allows remote attackers to read arbitrary files via .. specifiers in the album parameter, and the target filename in the pic parameter.

Vulnerable Configurations

Part Description Count
Application
Wihphoto
1

Exploit-Db

descriptionWihPhoto 0.86 -dev sendphoto.php File Disclosure Vulnerability. CVE-2003-1239. Webapps exploit for php platform
idEDB-ID:22282
last seen2016-02-02
modified2003-02-24
published2003-02-24
reporterfrog
sourcehttps://www.exploit-db.com/download/22282/
titleWihPhoto 0.86 - dev sendphoto.php File Disclosure Vulnerability

Nessus

NASL familyCGI abuses
NASL idWIHPHOTO_FILE_READ.NASL
descriptionIt is possible to make the remote host mail any file contained on its hard drive by using a flaw in WihPhoto
last seen2020-06-01
modified2020-06-02
plugin id11274
published2003-02-27
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11274
titleWihPhoto sendphoto.php Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#

# Refs: http://www.frog-man.org/tutos/WihPhoto.txt
#
# From: "Frog Man" <[email protected]>
# To: [email protected]
# Subject: [VulnWatch] WihPhoto (PHP)
# Message-ID: <[email protected]>
#


include("compat.inc");

if(description)
{
 script_id(11274);
 script_version ("1.24");
 script_cve_id("CVE-2003-1239");
 script_bugtraq_id(6929);
 
 script_name(english:"WihPhoto sendphoto.php Traversal Arbitrary File Access");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by an
information disclosure flaw." );
 script_set_attribute(attribute:"description", value:
"It is possible to make the remote host mail any file contained on its
hard drive by using a flaw in WihPhoto's 'util/email.php' script." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/312892" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/02/27");
 script_cvs_date("Date: 2018/11/15 20:50:19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Checks for the presence of remotehtmlview.php");
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

#
# The script code starts here
#


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!can_host_php(port:port))exit(0);



function check(loc)
{
 local_var r, w;

 w = http_send_recv3(method:"GET", item:string(loc, "/start.php"), port:port);
 if (isnull(w)) exit(1, "The web server did not answer");
 r = w[2];
 if(egrep(pattern:"WihPhoto 0\.([0-9][^0-9]|[0-7][0-9][^0-9]|8[0-6][^0-9])", string:r))
 {
 	security_warning(port);
	exit(0);
 }
}


dir = make_list(cgi_dirs());
dirs = make_list();
foreach d (dir)
 dirs = make_list(dirs, string(d, "/wihphoto"), string(d, "/WihPhoto"));

dirs = make_list(dirs, "/wihphoto", "/WihPhoto");


foreach dir (dirs)
{
check(loc:dir);
}

References