Vulnerabilities > CVE-2005-1685 - Forced Browsing vulnerability in Episodex Guestbook

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

episodex

CWE-425

nessus

NVD

Published: 2005-05-20

Updated: 2024-01-25

Summary

episodex guestbook allows remote attackers to bypass authentication and edit scripts via a direct request to admin.asp.

Vulnerable Configurations

Part	Description	Count
Application	Episodex Episodex Episodex Guestbook *	1

Common Weakness Enumeration (CWE)

CWE-425 - Direct Request ('Forced Browsing')

Common Attack Pattern Enumeration and Classification (CAPEC)

Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
Forceful Browsing
An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.

Nessus

NASL family	CGI abuses
NASL id	EPISODEX_GUESTBOOK.NASL
description	The remote host is running the Episodex Guestbook, a guestbook written in ASP. The version of Episodex installed on the remote host does not validate input to various fields in the
last seen	2020-06-01
modified	2020-06-02
plugin id	18362
published	2005-05-24
reporter	Copyright (C) 2005-2018 Josh Zlatin-Amishav
source	https://www.tenable.com/plugins/nessus/18362
title	Episodex Guestbook Multiple Vulnerabilities (Auth Bypass, XSS)
code	# # This script was written by Josh Zlatin-Amishav <josh at tkos dot co dot il> # # This script is released under the GNU GPLv2 # # Changes by Tenable: # - Revised plugin title (1/02/09) # - Added additional CVE (1/02/09) # - Revised script summary (9/6/11) include("compat.inc"); if(description) { script_id(18362); script_version ("1.19"); script_cve_id("CVE-2005-1684", "CVE-2005-1685"); script_bugtraq_id(13692, 13693); script_name(english:"Episodex Guestbook Multiple Vulnerabilities (Auth Bypass, XSS)"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains an ASP application that is affected by several issues." ); script_set_attribute(attribute:"description", value: "The remote host is running the Episodex Guestbook, a guestbook written in ASP. The version of Episodex installed on the remote host does not validate input to various fields in the 'default.asp' script before using it to generate dynamic HTML. Additionally, an unauthenticated, remote attacker can edit settings by accessing the application's 'admin.asp' script directly." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/May/248" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/24"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/21"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for unauthenticated access to admin.asp"); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"Copyright (C) 2005-2020 Josh Zlatin-Amishav"); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("www/ASP"); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); global_var port; port = get_http_port(default:80, embedded:TRUE); if(!get_port_state(port))exit(0); if(!can_host_asp(port:port))exit(0); function check(url) { local_var req, res; req = http_get(item:url +"/admin.asp", port:port); res = http_keepalive_send_recv(port:port, data:req); if ( res == NULL ) exit(0); if ( 'Save Configuration' >< res && 'powered by Sven Moderow\'s GuestBook' >< res ) { security_hole(port); exit(0); } } foreach dir ( cgi_dirs() ) check(url:dir);

References

http://marc.info/?l=bugtraq&m=111661380018313&w=2