Vulnerabilities > CVE-2004-1421 - Unspecified vulnerability in WHM Autopilot 2.4.5/2.4.6/2.4.6.5

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
whm
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2024-11-20

Summary

Multiple PHP remote file inclusion vulnerabilities (1) step_one.php, (2) step_one_tables.php, (3) step_two_tables.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the server_inc parameter to reference a URL on a remote web server that contains the code.

Vulnerable Configurations

Part Description Count
Application
Whm
3

Exploit-Db

descriptionWHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities. CVE-2004-1420,CVE-2004-1421,CVE-2004-1422. Webapps exploit for PHP platform
idEDB-ID:43818
last seen2018-01-24
modified2014-12-27
published2014-12-27
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/43818/
titleWHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities

Nessus

NASL familyCGI abuses
NASL idWHM_AUTOPILOT_FILE_INCLUDE.NASL
descriptionThe remote web server is running WHM AutoPilot, a script designed to administer a web-hosting environment. The remote version of this software is vulnerable to various flaws that may allow an attacker to execute arbitrary commands on the remote host, obtain information about the remote host
last seen2020-06-01
modified2020-06-02
plugin id16070
published2004-12-28
reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/16070
titleWHM AutoPilot < 2.5.20 Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(16070);
  script_version ("1.18");
  script_cve_id("CVE-2004-1420", "CVE-2004-1421", "CVE-2004-1422");
  script_bugtraq_id(12119);

  script_name(english:"WHM AutoPilot < 2.5.20 Multiple Remote Vulnerabilities");
  script_summary(english:"Determines if WHM AutoPilot can include third-party files");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
several vulnerabilities." );
  script_set_attribute(attribute:"description", value:
"The remote web server is running WHM AutoPilot, a script designed to
administer a web-hosting environment. 

The remote version of this software is vulnerable to various flaws
that may allow an attacker to execute arbitrary commands on the remote
host, obtain information about the remote host's PHP installation, and
launch cross-site scripting attacks." );
  script_set_attribute(attribute:"see_also", value:"http://www.gulftech.org/?node=research&article_id=00059-12272004" );
  script_set_attribute(attribute:"solution", value:"Upgrade to WHM AutoPilot version 2.5.20 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-1421");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/28");
  script_set_attribute(attribute:"vuln_publication_date", value: "2004/12/28");
  script_cvs_date("Date: 2019/06/03 10:01:42");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencie("http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);

foreach d (cgi_dirs())
{
 url = string(d, "/inc/header.php/step_one.php?server_inc=http://example.com/");
 w = http_send_recv3(method:"GET", item:url, port:port);
 if (isnull(w)) exit(1, "The web server did not answer");
 res = strcat(w[0], w[1], '\r\n', w[2]);
 if ( "http://example.com/step_one_tables.php" >< buf )
 {
  security_hole(port);
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
  exit(0);
 }
}

References