Vulnerabilities > CVE-2006-0347 - Remote Input Validation vulnerability in ELOG Web Logbook
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Directory traversal vulnerability in ELOG before 2.6.1 allows remote attackers to access arbitrary files outside of the elog directory via "../" (dot dot) sequences in the URL.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-967.NASL description Several security problems have been found in elog, an electronic logbook to manage notes. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2005-4439 last seen 2020-06-01 modified 2020-06-02 plugin id 22833 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22833 title Debian DSA-967-1 : elog - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-967. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22833); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2005-4439", "CVE-2006-0347", "CVE-2006-0348", "CVE-2006-0597", "CVE-2006-0598", "CVE-2006-0599", "CVE-2006-0600"); script_xref(name:"DSA", value:"967"); script_name(english:"Debian DSA-967-1 : elog - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several security problems have been found in elog, an electronic logbook to manage notes. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2005-4439 'GroundZero Security' discovered that elog insufficiently checks the size of a buffer used for processing URL parameters, which might lead to the execution of arbitrary code. - CVE-2006-0347 It was discovered that elog contains a directory traversal vulnerability in the processing of '../' sequences in URLs, which might lead to information disclosure. - CVE-2006-0348 The code to write the log file contained a format string vulnerability, which might lead to the execution of arbitrary code. - CVE-2006-0597 Overly long revision attributes might trigger a crash due to a buffer overflow. - CVE-2006-0598 The code to write the log file does not enforce bounds checks properly, which might lead to the execution of arbitrary code. - CVE-2006-0599 elog emitted different errors messages for invalid passwords and invalid users, which allows an attacker to probe for valid user names. - CVE-2006-0600 An attacker could be driven into infinite redirection with a crafted 'fail' request, which has denial of service potential." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349528" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-4439" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0347" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0348" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0597" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0598" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0599" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0600" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-967" ); script_set_attribute( attribute:"solution", value: "Upgrade the elog package. The old stable distribution (woody) does not contain elog packages. For the stable distribution (sarge) these problems have been fixed in version 2.5.7+r1558-4+sarge2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:elog"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"elog", reference:"2.5.7+r1558-4+sarge2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id ELOG_261.NASL description The remote host appears to be using ELOG, a web-based electronic logbook application. The version of ELOG installed on the remote host fails to filter directory traversal strings before processing GET requests. An attacker can exploit this issue to retrieve the contents of arbitrary files from the remote host, subject to the privileges under which ELOG runs. In addition, the application is reportedly affected by a format string vulnerability in the last seen 2020-06-01 modified 2020-06-02 plugin id 20750 published 2006-01-20 reporter This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20750 title ELOG < 2.6.1 Multiple Remote Vulnerabilities (Traversal, FS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20750); script_version("1.21"); script_cve_id("CVE-2006-0347", "CVE-2006-0348"); script_bugtraq_id(16315); script_name(english:"ELOG < 2.6.1 Multiple Remote Vulnerabilities (Traversal, FS)"); script_summary(english:"Checks for multiple vulnerabilities in ELOG < 2.6.1"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple flaws." ); script_set_attribute(attribute:"description", value: "The remote host appears to be using ELOG, a web-based electronic logbook application. The version of ELOG installed on the remote host fails to filter directory traversal strings before processing GET requests. An attacker can exploit this issue to retrieve the contents of arbitrary files from the remote host, subject to the privileges under which ELOG runs. In addition, the application is reportedly affected by a format string vulnerability in the 'write_logfile'. Provided logging is enabled, an attacker may be able to exploit this via the 'uname' parameter of the login form to crash the application or execute arbitrary code remotely." ); script_set_attribute(attribute:"see_also", value:"https://midas.psi.ch/elogs/Forum/1608" ); script_set_attribute(attribute:"solution", value: "Upgrade to ELOG version 2.6.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/20"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/10/25"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 8080); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("data_protection.inc"); port = get_http_port(default:8080); # If the server looks like ELOG... banner = get_http_banner(port:port); if (banner && "Server: ELOG HTTP" >< banner) { # Try to exploit the flaw to read /etc/passwd. r = http_send_recv3(method:"GET",item:"/../../../../../../../../../../etc/passwd", port:port); if (isnull(r)) exit(0); res = r[2]; res = data_protection::redact_etc_passwd(output:res); if (egrep(pattern:"root:.*:0:[01]:", string:res)) { security_warning(port:port, extra: res); exit(0); } }
References
- http://midas.psi.ch/elog/download/ChangeLog
- http://secunia.com/advisories/18533
- http://secunia.com/advisories/18783
- http://www.debian.org/security/2006/dsa-967
- http://www.osvdb.org/22647
- http://www.securityfocus.com/bid/16315
- http://www.vupen.com/english/advisories/2006/0262
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24224