Vulnerabilities > CVE-2005-0305 - Privilege Escalation vulnerability in Siteman User Database

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

siteman

nessus

exploit available

NVD

Published: 2005-05-02

Updated: 2017-07-11

Summary

CRLF injection vulnerability in users.php in Siteman 1.1.10 and earlier allows remote attackers to add arbitrary users and gain privileges via the line parameter in a docreate operation.

Vulnerable Configurations

Part	Description	Count
Application	Siteman Siteman Siteman 1.1.9 Siteman Siteman 1.1.10	2

Exploit-Db

description	Siteman 1.1 User Database Privilege Escalation Vulnerability (1). CVE-2005-0305. Webapps exploit for php platform
id	EDB-ID:25052
last seen	2016-02-03
modified	2005-01-19
published	2005-01-19
reporter	Noam Rathaus
source	https://www.exploit-db.com/download/25052/
title	Siteman 1.1 - User Database Privilege Escalation Vulnerability 1

description	Siteman 1.1 User Database Privilege Escalation Vulnerability (2). CVE-2005-0305. Webapps exploit for php platform
id	EDB-ID:25053
last seen	2016-02-03
modified	2005-01-19
published	2005-01-19
reporter	amironline452
source	https://www.exploit-db.com/download/25053/
title	Siteman 1.1 - User Database Privilege Escalation Vulnerability 2

Nessus

NASL family	CGI abuses
NASL id	SITEMAN_USER_DB_PRIV_ESCALATION.NASL
description	The remote host is running Siteman, a web-based content management system written in PHP. The version of this software hosted on the remote web server fails to sanitize input to the
last seen	2020-06-01
modified	2020-06-02
plugin id	16216
published	2005-01-19
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/16216
title	Siteman < 1.1.11 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(16216); script_version("1.18"); script_cve_id("CVE-2005-0305"); script_bugtraq_id(12304, 12558); script_name(english:"Siteman < 1.1.11 Multiple Vulnerabilities"); script_summary(english:"Checks Siteman's version"); script_set_attribute( attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by privilege escalation vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running Siteman, a web-based content management system written in PHP. The version of this software hosted on the remote web server fails to sanitize input to the 'line' parameter of the 'users.php' script when 'do=create', which allows an attacker with valid credentials to create an arbitrary administrative user." ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jan/245" ); script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110643320814371&w=2" ); script_set_attribute( attribute:"solution", value:"Upgrade to Siteman 1.1.11 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/01/19"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/01/20"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"CGI abuses"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_dependencie("http_version.nasl"); script_require_keys("www/PHP"); exit(0); } #the code include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0, php:TRUE); foreach dir ( cgi_dirs() ) { w = http_send_recv3(method:"GET", item:dir + "/forum.php", port:port, exit_on_fail:TRUE); r = w[2]; if( r && '<meta name="generator" content="Siteman ' >< r ) { line = egrep(pattern:'<meta name="generator" content="Siteman (0\\.\|1\\.(0\|1\\.([0-9][^0-9]\|10[^0-9])))', string:r); if ( line ) { security_warning(port); exit(0); } } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References