Vulnerabilities > CVE-2006-0880 - Cross-Site Scripting vulnerability in Noah's Classifieds

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

phpoutsourcing

nessus

exploit available

NVD

Published: 2006-02-24

Updated: 2018-10-18

Summary

Multiple cross-site scripting (XSS) vulnerabilities in index.php in Noah's Classifieds 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) inf parameter; or, when register_globals is enabled, the (2) upperTemplate and (3) lowerTemplate parameters.

Vulnerable Configurations

Part	Description	Count
Application	Phpoutsourcing Phpoutsourcing Noahs Classifieds 1.2 Phpoutsourcing Noahs Classifieds 1.3	2

Exploit-Db

description	Noah's Classifieds 1.0/1.3 Index.PHP Multiple Cross-Site Scripting Vulnerabilities. CVE-2006-0880. Webapps exploit for php platform
id	EDB-ID:27259
last seen	2016-02-03
modified	2006-02-22
published	2006-02-22
reporter	trueend5
source	https://www.exploit-db.com/download/27259/
title	Noah's Classifieds 1.0/1.3 Index.PHP Multiple Cross-Site Scripting Vulnerabilities

Nessus

NASL family	CGI abuses
NASL id	NOAHS_CLASSIFIEDS_13.NASL
description	The remote host is running Noah
last seen	2020-06-01
modified	2020-06-02
plugin id	20971
published	2006-02-23
reporter	This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20971
title	Noah's Classifieds <= 1.3 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20971); script_version("1.21"); script_cve_id( "CVE-2006-0879", "CVE-2006-0880", "CVE-2006-0881", "CVE-2006-0882" ); script_bugtraq_id(16772, 16773, 16778, 16780); script_name(english:"Noah's Classifieds <= 1.3 Multiple Vulnerabilities"); script_summary(english:"Checks for search page SQL injection flaw in Noah's Classifieds"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running Noah's Classifieds, a classified ads application written in PHP. The installed version of Noah's Classifieds is reportedly affected by numerous remote and local file include, SQL injection, cross-site scripting, and information disclosure issues due to a general failure of the application to sanitize user-supplied input. Note that successful exploitation of the file include flaws requires that PHP's 'register_globals' setting be enabled." ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/425783/30/0/threaded" ); script_set_attribute(attribute:"solution", value: "Remove the application as it is no longer supported." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/23"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpoutsourcing:noahs_classifieds"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded: 0, php: 1); # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/noahsclassifieds", "/classifieds", "/ads", cgi_dirs())); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { res = http_get_cache(item:string(dir, "/index.php"), port:port, exit_on_fail: 1); # If the initial page looks like Noah's Classifieds... if (egrep(pattern:">Powered by <a [^>]+>Noah's Classifieds</a>", string:res)) { # Try to exploit the SQL injection flaw. bound = "nessus"; boundary = string("--", bound); postdata = string( boundary, "\r\n", 'Content-Disposition: form-data; name="method"', "\r\n", "\r\n", "create\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="list"', "\r\n", "\r\n", "classifiedssearch\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="fromlist"', "\r\n", "\r\n", "classifiedscategory\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="frommethod"', "\r\n", "\r\n", "showhtmllist\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="str"', "\r\n", "\r\n", "'", SCRIPT_NAME, "\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="cid"', "\r\n", "\r\n", "0\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="type"', "\r\n", "\r\n", "1\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="submit"', "\r\n", "\r\n", "Ok\r\n", boundary, "\r\n", 'Content-Disposition: form-data; name="id"', "\r\n", "\r\n", "0\r\n", boundary, "--", "\r\n" ); w = http_send_recv3(method:"POST", port: port, item: dir+"/index.php?option=com_noah", content_type: "multipart/form-data; boundary="+bound, exit_on_fail: 1, data: postdata); res = w[2]; # There's a problem if we see a SQL syntax error with our script name. # # nb: error messages happen even if 'display_errors' is off. if (egrep(pattern:string("an error in your SQL syntax.+ near '", SCRIPT_NAME), string:res)) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); } } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References