Vulnerabilities > CVE-2005-1681 - Unspecified vulnerability in Bugada Andrea PHP Advanced Transfer Manager 1.20/1.21

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
bugada-andrea
nessus
exploit available
NVD
Published: 2005-05-20
Updated: 2024-11-20

Summary

PHP remote file inclusion vulnerability in common.php in phpATM 1.21, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via a URL in the include_location parameter to index.php.

Vulnerable Configurations

Part Description Count
Application
Bugada_Andrea
2

Exploit-Db

descriptionPHP Advanced Transfer Manager 1.21 Arbitrary File Include Vulnerability. CVE-2005-1681. Webapps exploit for php platform
idEDB-ID:25686
last seen2016-02-03
modified2005-05-19
published2005-05-19
reporterIngvar Gilbert
sourcehttps://www.exploit-db.com/download/25686/
titlePHP Advanced Transfer Manager 1.21 - Arbitrary File Include Vulnerability

Nessus

NASL familyCGI abuses
NASL idPHPATM_ARBITRARY_UPLOADS.NASL
descriptionThe version of PHP Advanced Transfer Manager installed on the remote host allows authenticated users to upload arbitrary files and then run them subject to the privileges of the web server user. It also allows unauthenticated users to read arbitrary files on the remote host and possibly even run arbitrary PHP code, subject to the privileges of the web server user.
last seen2020-06-01
modified2020-06-02
plugin id18207
published2005-05-09
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18207
titlePHP Advanced Transfer Manager <= 1.21 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description) {
  script_id(18207);
  script_version("1.20");

  script_cve_id("CVE-2005-1604", "CVE-2005-1681");
  script_bugtraq_id(13542, 13691);

  name["english"] = "PHP Advanced Transfer Manager <= 1.21 Multiple Vulnerabilities";
  script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote server contains a PHP script that is prone to several flaws,
including arbitrary code execution." );
 script_set_attribute(attribute:"description", value:
"The version of PHP Advanced Transfer Manager installed on the remote
host allows authenticated users to upload arbitrary files and then run
them subject to the privileges of the web server user.  It also allows
unauthenticated users to read arbitrary files on the remote host and
possibly even run arbitrary PHP code, subject to the privileges of the
web server user." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/397677" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/400248" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to PHP Advanced Transfer Manager 1.30 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/09");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/19");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:bugada_andrea:php_advanced_transfer_manager");
script_end_attributes();

 
  summary["english"] = "Checks for multiple vulnerabilities in PHP Advanced Transfer Manager <= 1.21";
  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, embedded: 0, php: 1);

# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/phpatm", "/phpATM", "/downloads", "/upload", "/files", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Grab index.php.
  res = http_get_cache(item:string(dir, "/index.php"), port:port, exit_on_fail: 1);

  # If it's phpATM.
  if (
    '<a href="http://phpatm.free.fr" target=_blank>' >< res && 
    "Powered by PHP Advanced Transfer Manager v" >< res
  ) {
    # Try to grab a file included in the distribution.
    r = http_send_recv3(method:"GET",
      item:string(
        dir, "/index.php?",
        # nb: try to grab the distribution's Readme.txt.
        "include_location=docs/Readme.txt%00"
      ),
      exit_on_fail: 1,
      port:port
    );
    res = r[2];

    # It's a problem if it looks like the Readme.txt.
    if ("remotely based upon PHP Upload Center" >< res) {
      security_warning(port);
      exit(0);
    }

    if (thorough_tests) {
      # If that failed, try to grab /etc/passwd.
      r = http_send_recv3(method:"GET",
        item:string(
          dir, "/index.php?",
          "include_location=/etc/passwd%00"
        ),
	exit_on_fail: 1,
        port:port
      );
      res = r[2];

      # It's a problem if there's an entry for root.
      if (egrep(string:res, pattern:"root:.+:0:")) {
        security_warning(port);
        exit(0);
      }
    }
  }
}

References