Vulnerabilities > CVE-2004-1422 - Remote vulnerability in WHM Autopilot 2.4.5/2.4.6/2.4.6.5

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
whm
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

WHM AutoPilot 2.4.6.5 and earlier allows remote attackers to gain sensitive information via phpinfo, which reveals php settings.

Vulnerable Configurations

Part Description Count
Application
Whm
3

Exploit-Db

descriptionWHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities. CVE-2004-1420,CVE-2004-1421,CVE-2004-1422. Webapps exploit for PHP platform
idEDB-ID:43818
last seen2018-01-24
modified2014-12-27
published2014-12-27
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/43818/
titleWHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities

Nessus

NASL familyCGI abuses
NASL idWHM_AUTOPILOT_FILE_INCLUDE.NASL
descriptionThe remote web server is running WHM AutoPilot, a script designed to administer a web-hosting environment. The remote version of this software is vulnerable to various flaws that may allow an attacker to execute arbitrary commands on the remote host, obtain information about the remote host
last seen2020-06-01
modified2020-06-02
plugin id16070
published2004-12-28
reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/16070
titleWHM AutoPilot < 2.5.20 Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(16070);
  script_version ("1.18");
  script_cve_id("CVE-2004-1420", "CVE-2004-1421", "CVE-2004-1422");
  script_bugtraq_id(12119);

  script_name(english:"WHM AutoPilot < 2.5.20 Multiple Remote Vulnerabilities");
  script_summary(english:"Determines if WHM AutoPilot can include third-party files");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
several vulnerabilities." );
  script_set_attribute(attribute:"description", value:
"The remote web server is running WHM AutoPilot, a script designed to
administer a web-hosting environment. 

The remote version of this software is vulnerable to various flaws
that may allow an attacker to execute arbitrary commands on the remote
host, obtain information about the remote host's PHP installation, and
launch cross-site scripting attacks." );
  script_set_attribute(attribute:"see_also", value:"http://www.gulftech.org/?node=research&article_id=00059-12272004" );
  script_set_attribute(attribute:"solution", value:"Upgrade to WHM AutoPilot version 2.5.20 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-1421");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/28");
  script_set_attribute(attribute:"vuln_publication_date", value: "2004/12/28");
  script_cvs_date("Date: 2019/06/03 10:01:42");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencie("http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);

foreach d (cgi_dirs())
{
 url = string(d, "/inc/header.php/step_one.php?server_inc=http://example.com/");
 w = http_send_recv3(method:"GET", item:url, port:port);
 if (isnull(w)) exit(1, "The web server did not answer");
 res = strcat(w[0], w[1], '\r\n', w[2]);
 if ( "http://example.com/step_one_tables.php" >< buf )
 {
  security_hole(port);
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
  exit(0);
 }
}

References