Vulnerabilities > CVE-2005-2817 - Information Disclosure vulnerability in Simple Machines Simple Machines Forum 1.0.5

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
simple-machines
nessus
NVD
Published: 2005-09-07
Updated: 2017-07-11

Summary

Simple Machines Forum (SMF) 1-0-5 and earlier supports the use of URLs for avatar images, which allows remote attackers to monitor sensitive information of forum visitors such as IP address and user agent, as demonstrated using a PHP script on a malicious server.

Vulnerable Configurations

Part Description Count
Application
Simple_Machines
1

Nessus

NASL familyCGI abuses
NASL idSMF_AVATAR_CODE_INJECTION.NASL
descriptionThe remote host is running Simple Machines Forum (SMF), an open source web forum application written in PHP. The installed version of SMF on the remote host does not properly sanitize the URI supplied for the user avatar. An attacker who is registered in the affected application can exploit this flaw to run scripts each time a forum user accesses the malicious avatar, eg collecting forum usage information, launching attacks against users
last seen2020-06-01
modified2020-06-02
plugin id19550
published2005-08-31
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19550
titleSimple Machines Forum Avatar Information Disclosure Vulnerability
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(19550);
  script_version("1.17");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2005-2817");
  script_bugtraq_id(14706);

  script_name(english:"Simple Machines Forum Avatar Information Disclosure Vulnerability");
  script_summary(english:"Checks for avatar code execution vulnerability in Simple Machines Forum");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that allows for the
disclosure of information.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Simple Machines Forum (SMF), an open source
web forum application written in PHP.

The installed version of SMF on the remote host does not properly
sanitize the URI supplied for the user avatar.  An attacker who is
registered in the affected application can exploit this flaw to run
scripts each time a forum user accesses the malicious avatar, eg
collecting forum usage information, launching attacks against users'
systems, etc.");
  script_set_attribute(attribute:"see_also", value:"http://retrogod.altervista.org/smf105.html");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Aug/438");
  script_set_attribute(attribute:"solution", value:"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/31");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("smf_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80);

install = get_install_from_kb(appname:'simple_machines_forum', port:port, exit_on_fail:TRUE);

url = install['dir'] + '/';

version = install['ver'];
ver = split(sep:'.', ver);

for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

if (ver[0] == 1 && ver[1] == 0 && ver[2] <= 5)
{
  if (report_verbosity > 0)
  {
   report =
      '\n  URL     : ' + url +
      '\n  Version : ' + version + '\n';
    security_note(port:port, extra:report);
  }
  else security_note(port);
  exit(0);
}

References