Vulnerabilities > CVE-2006-1819 - Unspecified vulnerability in PHPwebsite
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Directory traversal vulnerability in the loadConfig function in index.php in phpWebSite 0.10.2 and earlier allows remote attackers to include arbitrary local files and execute arbitrary PHP code via the hub_dir parameter, as demonstrated by including access_log. NOTE: in some cases, arbitrary remote file inclusion could be performed under PHP 5 using an SMB share argument such as "\\systemname\sharename".
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| id | EDB-ID:1673 |
Nessus
NASL family CGI abuses NASL id PHPWEBSITE_HUB_DIR_FILE_INCLUDE.NASL description The version of phpWebSite installed on the remote host fails to sanitize input to the last seen 2020-06-01 modified 2020-06-02 plugin id 21228 published 2006-04-16 reporter This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21228 title phpWebSite index.php hub_dir Parameter Local File Inclusion code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21228); script_version("1.20"); script_cve_id("CVE-2006-1819"); script_bugtraq_id(17521); script_name(english:"phpWebSite index.php hub_dir Parameter Local File Inclusion"); script_summary(english:"Tries to read /etc/passwd using phpWebSite"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is affected by a local file include issue." ); script_set_attribute(attribute:"description", value: "The version of phpWebSite installed on the remote host fails to sanitize input to the 'hub_dir' parameter of the 'index.php' script before using it in a PHP 'include()' function. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit this issue to view arbitrary files on the remote host or to execute arbitrary PHP code, subject to the privileges of the web server user id." ); # https://downloads.securityfocus.com/vulnerabilities/exploits/PHPWebSite_fi_poc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a081ffd2" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/04/16"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/04/17"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:phpwebsite:phpwebsite"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("phpwebsite_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpwebsite"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Test an install. install = get_kb_item(string("www/", port, "/phpwebsite")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Try to exploit one of the flaws to read a file. file = "/etc/passwd%00"; r = http_send_recv3(method:"GET", port:port, item:string(dir, "/index.php?","hub_dir=", file )); if (isnull(r)) exit(0); res = r[2]; # There's a problem if... if ( # there's an entry for root or... egrep(pattern:"root:.*:0:[01]:", string:res) || # we get an error saying "failed to open stream" or "failed opening". # # nb: this suggests magic_quotes_gpc was enabled but an attacker with # local access might still work. egrep(pattern:"main\(/etc/passwd\\0conf/config\.php.+ failed to open stream", string:res) || # we get an error claiming the file doesn't exist or... egrep(pattern:"main\(/etc/passwd\).*: failed to open stream: No such file or directory", string:res) || # we get an error about open_basedir restriction. egrep(pattern:"main.+ open_basedir restriction in effect. File\(/etc/passwd", string:res) ) { if (egrep(string:res, pattern:"root:.*:0:[01]:")) contents = res - strstr(res, "<br"); if (isnull(contents)) report = NULL; else { contents = data_protection::redact_etc_passwd(output:contents); report = string( "Here are the contents, repeated three times, of the file\n", "'/etc/passwd' that Nessus was able to read from the remote\n", "host :\n", "\n", contents ); } security_hole(port:port, extra:report); exit(0); } }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200605-04.NASL description The remote host is affected by the vulnerability described in GLSA-200605-04 (phpWebSite: Local file inclusion) rgod has reported that the last seen 2020-06-01 modified 2020-06-02 plugin id 21319 published 2006-05-03 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21319 title GLSA-200605-04 : phpWebSite: Local file inclusion code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200605-04. # # The advisory text is Copyright (C) 2001-2014 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/2.5/ # include("compat.inc"); if (description) { script_id(21319); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-1819"); script_xref(name:"GLSA", value:"200605-04"); script_name(english:"GLSA-200605-04 : phpWebSite: Local file inclusion"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200605-04 (phpWebSite: Local file inclusion) rgod has reported that the 'hub_dir' parameter in 'index.php' isn't properly verified. When 'magic_quotes_gpc' is disabled, this can be exploited to include arbitrary files from local ressources. Impact : If 'magic_quotes_gpc' is disabled, which is not the default on Gentoo Linux, a remote attacker could exploit this issue to include and execute PHP scripts from local ressources with the rights of the user running the web server, or to disclose sensitive information and potentially compromise a vulnerable system. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"http://www.gentoo.org/security/en/glsa/glsa-200605-04.xml" ); script_set_attribute( attribute:"solution", value: "All phpWebSite users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/phpwebsite-0.10.2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpwebsite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/03"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/phpwebsite", unaffected:make_list("ge 0.10.2"), vulnerable:make_list("lt 0.10.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpWebSite"); }
References
- http://downloads.securityfocus.com/vulnerabilities/exploits/PHPWebSite_fi_poc
- http://secunia.com/advisories/19647
- http://secunia.com/advisories/19914
- http://securitytracker.com/id?1015942
- http://www.gentoo.org/security/en/glsa/glsa-200605-04.xml
- http://www.securityfocus.com/bid/17521
- http://www.vupen.com/english/advisories/2006/1361
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25867
- https://www.exploit-db.com/exploits/1673