Vulnerabilities > CVE-2004-1796 - PHP File Include vulnerability in HotNews

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

hotnews

nessus

exploit available

NVD

Published: 2004-12-31

Updated: 2017-07-11

Summary

PHP remote file inclusion vulnerability in HotNews 0.7.2 and earlier allows remote attackers to execute arbitrary PHP code via the (1) config[header] parameter to hotnews-engine.inc.php3 or (2) config[incdir] parameter to hnmain.inc.php3.

Vulnerable Configurations

Part	Description	Count
Application	Hotnews Hotnews Hotnews 0.5.3 Hotnews Hotnews 0.6.0 Hotnews Hotnews 0.6.0_Pre Hotnews Hotnews 0.6.1 Hotnews Hotnews 0.7.0 Hotnews Hotnews 0.7.1 Hotnews Hotnews 0.7.2	7

Exploit-Db

description	HotNews 0.x hotnews-engine.inc.php3 config[header] Parameter Remote File Inclusion. CVE-2004-1796. Webapps exploit for php platform
id	EDB-ID:23517
last seen	2016-02-02
modified	2004-01-05
published	2004-01-05
reporter	Officerrr
source	https://www.exploit-db.com/download/23517/
title	HotNews 0.x - hotnews-engine.inc.php3 configheader Parameter Remote File Inclusion

description	HotNews 0.x config[incdir] Parameter Remote File Inclusion. CVE-2004-1796. Webapps exploit for php platform
id	EDB-ID:23518
last seen	2016-02-02
modified	2004-01-05
published	2004-01-05
reporter	Officerrr
source	https://www.exploit-db.com/download/23518/
title	HotNews 0.x - configincdir Parameter Remote File Inclusion

description	HotNews 0.7.2 Remote File Inclusion. CVE-2004-1796. Webapps exploit for php platform
id	EDB-ID:12160
last seen	2016-02-01
modified	2010-04-11
published	2010-04-11
reporter	team_elite
source	https://www.exploit-db.com/download/12160/
title	HotNews 0.7.2 - Remote File Inclusion

Nessus

NASL family	CGI abuses
NASL id	HOTNEWS_CODE_INJECTION.NASL
description	The remote host is running HotNews, a set of PHP scripts designed to set up a newssystem for web pages. It is possible this suite to make the remote host include php files hosted on a third-party server. An attacker may use this flaw to inject arbitrary code in the remote host and gain a shell with the privileges of the web server.
last seen	2020-06-01
modified	2020-06-02
plugin id	11979
published	2004-01-05
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/11979
title	HotNews Multiple Script Remote File Inclusion
code	# # (C) Tenable Network Security, Inc. # # XXXX Untested # # Ref: # From: [email protected] # Subject: HotNews arbitary file inclusion # Date: January 4, 2004 3:45:59 AM CET # To: [email protected] include("compat.inc"); if(description) { script_id(11979); script_version ("1.19"); script_cve_id("CVE-2004-1796"); script_name(english:"HotNews Multiple Script Remote File Inclusion"); script_summary(english:"Checks for the presence of HotNews"); script_set_attribute(attribute:"synopsis", value: "The remote host has a vulnerability in a PHP application that may allow for the execution of arbitrary code." ); script_set_attribute(attribute:"description", value: "The remote host is running HotNews, a set of PHP scripts designed to set up a newssystem for web pages. It is possible this suite to make the remote host include php files hosted on a third-party server. An attacker may use this flaw to inject arbitrary code in the remote host and gain a shell with the privileges of the web server." ); script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of HotNews" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-1796"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/01/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/01/03"); script_cvs_date("Date: 2019/05/31 10:05:08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CGI abuses"); script_dependencie("find_service1.nasl", "http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("www/PHP"); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if(!can_host_php(port:port))exit(0); foreach dir (cgi_dirs()) { w = http_send_recv3(item:string(dir, "/includes/hnmain.inc.php3?config[incdir]=http://example.com/"), method:"GET", port:port); if (isnull(w)) exit(0); r = strcat(w[0], w[1], '\r\n', w[2]); if("http://example.com/func.inc.php3" >< r) { security_hole(port); exit(0); } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References