Vulnerabilities > CVE-2005-2787 - Directory Traversal vulnerability in Alexander Palmo Simple PHP Blog 0.4.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
alexander-palmo
nessus
exploit available

Summary

comment_delete_cgi.php in Simple PHP Blog allows remote attackers to delete arbitrary files via the comment parameter.

Vulnerable Configurations

Part Description Count
Application
Alexander_Palmo
1

Exploit-Db

descriptionSimple PHP Blog <= 0.4.0 Multiple Remote Exploits. CVE-2005-2192,CVE-2005-2733,CVE-2005-2787. Webapps exploit for php platform
idEDB-ID:1191
last seen2016-01-31
modified2005-09-01
published2005-09-01
reporterKenneth Belva
sourcehttps://www.exploit-db.com/download/1191/
titleSimple PHP Blog <= 0.4.0 - Multiple Remote Exploits

Nessus

NASL familyCGI abuses
NASL idSPHPBLOG_040.NASL
descriptionThe version of Simple PHP Blog installed on the remote host allows authenticated attackers to upload files containing arbitrary code to be executed with the privileges of the web server userid. In addition, it likely lets anyone retrieve its configuration file as well as the user list and to delete arbitrary files subject to the privileges of the web server user id.
last seen2020-06-01
modified2020-06-02
plugin id19516
published2005-08-27
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19516
titleSimple PHP Blog <= 0.4.0 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(19516);
  script_version("1.25");

  script_cve_id("CVE-2005-2733", "CVE-2005-2787");
  script_bugtraq_id(14667, 14681);

  name["english"] = "Simple PHP Blog <= 0.4.0 Multiple Vulnerabilities";
  script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple issues." );
 script_set_attribute(attribute:"description", value:
"The version of Simple PHP Blog installed on the remote host allows
authenticated attackers to upload files containing arbitrary code to
be executed with the privileges of the web server userid. 

In addition, it likely lets anyone retrieve its configuration file as
well as the user list and to delete arbitrary files subject to the
privileges of the web server user id." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Aug/882");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Aug/996");
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48f3599b" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Simple PHP Blog 0.4.5 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"metasploit_name", value:'Simple PHP Blog Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/27");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/25");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for multiple vulnerabilities in Simple PHP Blog <= 0.4.0";
  script_summary(english:summary["english"]);
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
 
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("sphpblog_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80, embedded: 0, php: 1);

# Test an install.
install = get_kb_item(string("www/", port, "/sphpblog"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
  ver = matches[1];
  dir = matches[2];

  # Get the blog's title.
  res = http_get_cache(item:string(dir, "/index.php"), port:port, exit_on_fail: 1);

  title = "";
  pat = "<title>(.+)</title>";
  matches = egrep(string:res, pattern:pat);
  if (matches) {
    foreach match (split(matches, keep:FALSE)) {
      ver = eregmatch(pattern:pat, string:match);
      if (!isnull(ver)) {
        title = title[1];
        break;
      }
    }
  }

  # Check whether the title is stored as the first field of config.txt.
  if (!isnull(title)) {
    w = http_send_recv3(method:"GET", item:string(dir, "/config.txt"), port:port, exit_on_fail: 1);
    res = w[2];
    # There's a problem if the first field is the title.
    if (egrep(string:res, pattern:string("^", title, "|"))) {
      security_hole(port);
      exit(0);
    }
  }

  # If that didn't work, check the version number.
  if (ver && ver =~ "^0\.([0-3]|4\.0)") {
    report = string(
      "\n",
      "Note that Nessus has determined the vulnerabilities exist on the\n",
      "remote host simply by looking at the version number of Simple\n",
      "PHP Blog installed there.\n"
    );
    security_hole(port:port, extra:report);
    exit(0);
  }
}