Vulnerabilities > CVE-2004-1700 - Unspecified vulnerability in Pinnacle Systems Showcenter 1.51Build121

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Cross-site scripting (XSS) vulnerability in SettingsBase.php in Pinnacle ShowCenter 1.51 build 121 allows remote attackers to inject arbitrary HTML or web script via the Skin parameter, which is echoed in an error message.

Vulnerable Configurations

Part Description Count
Application
Pinnacle_Systems
1

Nessus

NASL familyCGI abuses : XSS
NASL idPINNACLE_XSS.NASL
descriptionThe remote host runs the Pinnacle ShowCenter web-based interface. The remote version of this software is vulnerable to cross-site scripting attack due to a lack of sanity checks on skin parameter in the SettingsBase.php script. With a specially crafted URL, an attacker can cause arbitrary code execution resulting in a loss of integrity.
last seen2020-06-01
modified2020-06-02
plugin id15485
published2004-10-17
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15485
titlePinnacle ShowCenter SettingsBase.php Skin Parameter XSS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(15485);
  script_version("1.28");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2004-1700");
  script_bugtraq_id(11415);

  script_name(english:"Pinnacle ShowCenter SettingsBase.php Skin Parameter XSS");
  script_summary(english:"Checks skin XSS in Pinnacle ShowCenter");

  script_set_attribute(attribute:"synopsis", value:"A remote web application is vulnerable to cross-site scripting.");
  script_set_attribute(attribute:"description", value:
"The remote host runs the Pinnacle ShowCenter web-based interface.

The remote version of this software is vulnerable to cross-site
scripting attack due to a lack of sanity checks on skin parameter in
the SettingsBase.php script.

With a specially crafted URL, an attacker can cause arbitrary code
execution resulting in a loss of integrity.");
  script_set_attribute(attribute:"solution", value:"Upgrade to the newest version of this software.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/17");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);

  script_copyright(english:"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc.");
  script_family(english:"CGI abuses : XSS");

  script_dependencie("cross_site_scripting.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP", "Settings/ParanoidReport");
  script_require_ports("Services/www", 8000);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:8000, embedded:TRUE);
if (!can_host_php(port:port)) exit(0, "The web server on port "+port+" does not support PHP.");
if ( get_kb_item("www/" + port + "/generic_xss") ) exit(0, "The web server on port "+port+" is prone to XSS.");

buf = http_get(item:"/ShowCenter/SettingsBase.php?Skin=<script>foo</script>", port:port);
r = http_keepalive_send_recv(port:port, data:buf, bodyonly:1);
if( r == NULL )exit(1, "The web server on port "+port+" did not respond.");

if(egrep(pattern:"<script>foo</script>", string:r))
{
  security_warning(port);
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
}