Vulnerabilities > CVE-2004-1403 - Remote File Include vulnerability in SIR GNUBoard

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
sir
nessus
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

PHP remote file inclusion vulnerability in index.php in GNUBoard 3.39 and earlier allows remote attackers to execute arbitrary PHP code by modifying the doc parameter to reference a URL on a remote web server that contains the code.

Vulnerable Configurations

Part Description Count
Application
Sir
10

Nessus

NASL familyCGI abuses
NASL idGNUBOARD_FILE_INCLUDE.NASL
descriptionIt is possible to make the remote web server read arbitrary files by using the GNUBoard CGI suite which is installed. An attacker may use this flaw to inject arbitrary code in the remote host and gain a shell with the privileges of the web server.
last seen2020-06-01
modified2020-06-02
plugin id15975
published2004-12-15
reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/15975
titleSIR GNUBoard Remote File Inclusion
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
  script_id(15975);
  script_version ("1.16");

  script_cve_id("CVE-2004-1403");
  script_bugtraq_id(11948);

  script_name(english:"SIR GNUBoard Remote File Inclusion");
  script_summary(english:"Checks for the presence of index.php");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is running a PHP application that is affected by
a remote file inclusion vulnerability." );
  script_set_attribute(attribute:"description", value:
"It is possible to make the remote web server read arbitrary files by 
using the GNUBoard CGI suite which is installed.

An attacker may use this flaw to inject arbitrary code in the remote
host and gain a shell with the privileges of the web server." );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/384522/30/0/threaded" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to GNUBoard 3.40 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:W/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-1403");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/15");
  script_set_attribute(attribute:"vuln_publication_date", value: "2004/12/14");
  script_cvs_date("Date: 2019/06/03 10:01:42");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();
 
  script_category(ACT_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CGI abuses");
  
  script_dependencie("http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

#
# The script code starts here
#


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, embedded: 0);
if(!can_host_php(port:port))exit(0);



function check(loc)
{
 local_var r;

 r = http_send_recv3(method:"GET", item:string(loc, "/index.php?doc=http://example.com/foo.php"), port:port);
 if (isnull(r)) exit(0);
 if( "http://example.com/" >< r[2] &&
     "php_network_getaddresses" >< r[2] )
 {
   security_hole(port);
   exit(0);
 }
}

foreach dir ( cgi_dirs() )
{
 check(loc:dir);
}

References