Vulnerabilities > CVE-2005-0870 - Cross-Site Scripting vulnerability in PHPsysinfo 2.3
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Multiple cross-site scripting (XSS) vulnerabilities in phpSysInfo 2.3, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) sensor_program parameter to index.php, (2) text[language], (3) text[template], or (4) hide_picklist parameter to system_footer.php.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description phpSysInfo 2.0/2.3 index.php sensor_program Parameter XSS. CVE-2005-0870. Webapps exploit for php platform id EDB-ID:25265 last seen 2016-02-03 modified 2005-03-23 published 2005-03-23 reporter Maksymilian Arciemowicz source https://www.exploit-db.com/download/25265/ title phpSysInfo 2.0/2.3 index.php sensor_program Parameter XSS description phpSysInfo 2.0/2.3 system_footer.php Multiple Parameter XSS. CVE-2005-0870. Webapps exploit for php platform id EDB-ID:25266 last seen 2016-02-03 modified 2005-03-23 published 2005-03-23 reporter Maksymilian Arciemowicz source https://www.exploit-db.com/download/25266/ title phpSysInfo 2.0/2.3 system_footer.php Multiple Parameter XSS
Nessus
NASL family CGI abuses NASL id PHPSYSINFO_241.NASL description The remote host is running phpSysInfo, a PHP application that parses the /proc entries on Linux/Unix systems and displays them in HTML. The installed version of phpSysInfo on the remote host has a design flaw in its globalization layer such that the script last seen 2020-06-01 modified 2020-06-02 plugin id 20215 published 2005-11-16 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20215 title phpSysInfo < 2.4.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20215); script_version("1.20"); script_cve_id( "CVE-2003-0536", "CVE-2005-0870", "CVE-2005-3347", "CVE-2005-3348" ); script_bugtraq_id(7286, 15396, 15414); script_name(english:"phpSysInfo < 2.4.1 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in phpSysInfo < 2.4.1"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running phpSysInfo, a PHP application that parses the /proc entries on Linux/Unix systems and displays them in HTML. The installed version of phpSysInfo on the remote host has a design flaw in its globalization layer such that the script's variables can be overwritten independent of PHP's 'register_globals' setting. By exploiting this issue, an attacker may be able to read arbitrary files on the remote host and even execute arbitrary PHP code, both subject to the privileges of the web server user id. In addition, the application fails to sanitize user-supplied input before using it in dynamically-generated pages, which can be used to conduct cross-site scripting and HTTP response splitting attacks." ); script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_222005.81.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to phpSysInfo 2.4.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(22, 352); script_set_attribute(attribute:"plugin_publication_date", value: "2005/11/16"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpsysinfo:phpsysinfo"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/phpsysinfo", "/phpSysInfo", "/sysinfo", cgi_dirs())); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { # Try to exploit some of the flaws. r = http_send_recv3(method: "GET", port: port, item:string( dir, "/index.php?", # if successful, output will have the footer repeated. "lng=../system_footer&", # if successful, output will complain about an invalid sensor program. "sensor_program=", SCRIPT_NAME)); if (isnull(r)) exit(0); res = r[2]; # There's a problem if we overwrote $sensor_program. if (string("<center><b>Error: ", SCRIPT_NAME, " is not currently supported</b></center>") >< res) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } # Alternatively, there's a problem if it looks like phpSysInfo and... if ("phpSysInfo-" >< res || "Created By: phpSysInfo" >< res) { # there are two footers. footer = "</html>"; post_footer = strstr(res, footer); if (post_footer) { post_footer = post_footer - footer; if (strstr(post_footer, footer)) { security_warning(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } } } }NASL family CGI abuses : XSS NASL id PHPSYSINFO_MULTIPLE_XSS.NASL description The remote host is running phpSysInfo, a PHP script that parses the /proc entries on Linux systems and displays them in HTML. The version of phpSysInfo installed on the remote host is affected by multiple cross-site scripting vulnerabilities due to its failure to sanitize user input to the last seen 2020-06-01 modified 2020-06-02 plugin id 17610 published 2005-03-24 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17610 title PHPSysInfo < 2.5 Multiple Script XSS NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_50457509D05E11D99AED000E0C2E438A.NASL description A Securityreason.com advisory reports that various cross site scripting vulnerabilities have been found in phpSysInfo. Input is not properly sanitised before it is returned to the user. A malicious person could exploit this to execute arbitrary HTML and script code in a users browser session. Also it is possible to view the full path of certain scripts by accessing them directly. last seen 2020-06-01 modified 2020-06-02 plugin id 21428 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21428 title FreeBSD : phpSysInfo -- XSS vulnerability (50457509-d05e-11d9-9aed-000e0c2e438a) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-899.NASL description Several vulnerabilities have been discovered in egroupware, a web-based groupware suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems in phpsysinfo, which are also present in the imported version in egroupware and of which not all were fixed in DSA 724. - CVE-2005-2600 Alexander Heidenreich discovered a cross-site scripting problem in the tree view of FUD Forum Bulletin Board Software, which is also present in egroupware and allows remote attackers to read private posts via a modified mid parameter. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally in phpsysinfo, which are also present in egroupware, and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised in phpsysinfo and imported in egroupware, causing a HTTP Response splitting problem. last seen 2020-06-01 modified 2020-06-02 plugin id 22765 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22765 title Debian DSA-899-1 : egroupware - programming errors NASL family Debian Local Security Checks NASL id DEBIAN_DSA-897.NASL description Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems, of which not all were fixed in DSA 724. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised, causing a HTTP Response splitting problem. last seen 2020-06-01 modified 2020-06-02 plugin id 22763 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22763 title Debian DSA-897-1 : phpsysinfo - programming errors NASL family Debian Local Security Checks NASL id DEBIAN_DSA-724.NASL description Maksymilian Arciemowicz discovered several cross site scripting issues in phpsysinfo, a PHP based host information application. last seen 2020-06-01 modified 2020-06-02 plugin id 18303 published 2005-05-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18303 title Debian DSA-724-1 : phpsysinfo - design flaw NASL family Debian Local Security Checks NASL id DEBIAN_DSA-898.NASL description Several vulnerabilities have been discovered in phpsysinfo, a PHP based host information application that is included in phpgroupware. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-0870 Maksymilian Arciemowicz discovered several cross site scripting problems, of which not all were fixed in DSA 724. - CVE-2005-3347 Christopher Kunz discovered that local variables get overwritten unconditionally and are trusted later, which could lead to the inclusion of arbitrary files. - CVE-2005-3348 Christopher Kunz discovered that user-supplied input is used unsanitised, causing a HTTP Response splitting problem. last seen 2020-06-01 modified 2020-06-02 plugin id 22764 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22764 title Debian DSA-898-1 : phpgroupware - programming errors
Packetstorm
| data source | https://packetstormsecurity.com/files/download/41530/advisory_212005.81.txt |
| id | PACKETSTORM:41530 |
| last seen | 2016-12-05 |
| published | 2005-11-15 |
| reporter | Christopher Kunz |
| source | https://packetstormsecurity.com/files/41530/Hardened-PHP-Project-Security-Advisory-2005-21.81.html |
| title | Hardened-PHP Project Security Advisory 2005-21.81 |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301118
- http://marc.info/?l=bugtraq&m=111161017209422&w=2
- http://secunia.com/advisories/14690/
- http://secunia.com/advisories/17616
- http://secunia.com/advisories/17643
- http://www.debian.org/security/2005/dsa-724
- http://www.debian.org/security/2005/dsa-897
- http://www.debian.org/security/2005/dsa-898
- http://www.debian.org/security/2005/dsa-899
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:212
- http://www.securityfocus.com/archive/1/416543
- http://www.securityfocus.com/bid/12887
- http://www.securityfocus.com/bid/15414
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19807