Vulnerabilities > CVE-2005-2636

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

SQL injection vulnerability in lib-view-direct.inc.php in phpAdsNew and phpPgAds before 2.0.6 allows remote attackers to execute arbitrary SQL commands via the clientid parameter.

Vulnerable Configurations

Part Description Count
Application
Phppgads
1
Application
Phpadsnew
1

Nessus

NASL familyCGI abuses
NASL idPHPADSNEW_206.NASL
descriptionThe remote host is running phpAdsNew / phpPgAds, an open source banner ad server. The version of phpAdsNews / phpPgAds installed on the remote host suffers from several flaws : - Remote PHP Code Injection Vulnerability The XML-RPC library bundled with the application allows an attacker to inject arbitrary PHP code via the
last seen2020-06-01
modified2020-06-02
plugin id19518
published2005-08-29
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19518
titlephpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(19518);
  script_version("1.23");

  script_cve_id("CVE-2005-2498", "CVE-2005-2635", "CVE-2005-2636");
  script_bugtraq_id(
    14560, 
    14583, 
    14588, 
    14584, 
    14591
 );

  script_name(english:"phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running phpAdsNew / phpPgAds, an open source banner
ad server. 

The version of phpAdsNews / phpPgAds installed on the remote host
suffers from several flaws :

  - Remote PHP Code Injection Vulnerability
    The XML-RPC library bundled with the application allows
    an attacker to inject arbitrary PHP code via the 
    'adxmlrpc.php' script to be executed within the context 
    of the affected web server user id.

  - Multiple Local File Include Vulnerabilities
    The application fails to sanitize user-supplied input to
    the 'layerstyle' parameter of the 'adlayer.php' script 
    and the 'language' parameter of the 'admin/js-form.php' 
    script before using them to include PHP files for 
    execution. An attacker can exploit these issues to read 
    arbitrary local files provided PHP's 'magic_quotes' 
    directive is disabled.

  - SQL Injection Vulnerability
    An attacker can manipulate SQL queries via input to the 
    'clientid' parameter of the 
    'libraries/lib-view-direct.inc.php' script." );
 script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_152005.67.html" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/408423/30/120/threaded" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to phpAdsNew / phpPgAds 2.0.6 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/15");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:phpadsnew:phpadsnew");
script_end_attributes();

 
  summary["english"] = "Checks for multiple vulnerabilities in phpAdsNew / phpPgAds < 2.0.6";
  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit the flaw in adlayer.php to read /etc/passwd.
  r = http_send_recv3(method:"GET", 
    item:string(
      dir, "/adlayer.php?",
      "layerstyle=../../../../../../../etc/passwd%00"
    ),
    port:port
  );
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if...
  if (
    # there's an entry for root or...
    egrep(string:res, pattern:"root:.*:0:[01]:") ||
    # we get an error saying "failed to open stream" or "Failed opening".
    #
    # nb: this suggests magic_quotes_gpc was enabled but the other flaws
    #     would still be present.
    egrep(string:res, pattern:"Warning.+main\(.+/etc/passwd.+failed to open stream") ||
    egrep(string:res, pattern:"Fatal error.+ Failed opening required '.+/etc/passwd")
  ) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}