Vulnerabilities > CVE-2006-1718 - Unspecified vulnerability in Clever Copy Clever Copy

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
clever-copy
nessus
exploit available

Summary

Magus Perde Clever Copy 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to view the database username and password via a direct request for connect.inc.

Exploit-Db

descriptionClever Copy 3.0 Connect.INC Information Disclosure Vulnerability. CVE-2006-1718. Webapps exploit for php platform
idEDB-ID:27621
last seen2016-02-03
modified2006-04-11
published2006-04-11
reporterM.Hasran Addahroni
sourcehttps://www.exploit-db.com/download/27621/
titleClever Copy 3.0 Connect.INC Information Disclosure Vulnerability

Nessus

NASL familyCGI abuses
NASL idCLEVERCOPY_INFO_DISCLOSURE.NASL
descriptionThe remote host is running Clever Copy, a free web portal written in PHP. The version of Clever Copy installed on the remote host fails to limit access to the
last seen2020-06-01
modified2020-06-02
plugin id21215
published2006-04-12
reporterThis script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/21215
titleClever Copy connect.inc Direct Request Information Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(21215);
  script_version("1.19");

  script_cve_id("CVE-2006-1718");
  script_bugtraq_id(17461);

  script_name(english:"Clever Copy connect.inc Direct Request Information Disclosure");
  script_summary(english:"Reads Clever Copy's admin/connect.inc file");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
an information disclosure flaw." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Clever Copy, a free web portal written in
PHP. 

The version of Clever Copy installed on the remote host fails to limit
access to the 'admin/connect.inc' include file, which contains
information used by the application to connect to a database.  An
unauthenticated attacker can view the contents of this file using a
simple GET command and use the information to launch other attacks
against the affected host." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c952ae9c" );
 script_set_attribute(attribute:"solution", value:
"Limit access to Clever Copy's admin directory using, say, a .htaccess
file." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:W/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/04/12");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/04/07");
 script_cvs_date("Date: 2018/06/13 18:56:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);


# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/blog", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  # Try to read the file.
  r = http_send_recv3(method:"GET", item:string(dir, "/admin/connect.inc"), port:port);
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if it looks like the file.
  if (egrep(pattern:"\$(Host|Dbase|User|Pass)[ \t]*=[ \t]*", string:res))
  {
    report = string(
      "\n",
      "Here are the contents of the file 'admin/connect.inc' that\n",
      "Nessus was able to read from the remote host :\n",
      "\n",
      data_protection::sanitize_user_full_redaction(output:res)
    );

    security_warning(port:port, extra:report);
    exit(0);
  }
}