Vulnerabilities > CVE-2006-6661 - Remote Security vulnerability in Php-Update

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
php-update
nessus
exploit available

Summary

Variable overwrite vulnerability in blog.php in PHP-Update 2.7 and earlier allows remote attackers to overwrite arbitrary program variables and execute arbitrary PHP code via multiple vectors that use the extract function, as demonstrated by the (1) f, (2) newmessage, (3) newusername, (4) adminuser, and (5) permission parameters.

Vulnerable Configurations

Part Description Count
Application
Php-Update
1

Exploit-Db

descriptionPHP-Update <= 2.7 extract() Auth Bypass / Shell Inject Exploit. CVE-2006-6661. Webapps exploit for php platform
fileexploits/php/webapps/2953.php
idEDB-ID:2953
last seen2016-01-31
modified2006-12-19
platformphp
port
published2006-12-19
reporterrgod
sourcehttps://www.exploit-db.com/download/2953/
titlePHP-Update <= 2.7 extract Auth Bypass / Shell Inject Exploit
typewebapps

Nessus

NASL familyCGI abuses
NASL idPHP_UPDATE_VAR_OVERWRITE.NASL
descriptionThe remote host is running PHP-Update, a content management system written in PHP. The version of PHP-Update installed on the remote host fails to sanitize user-supplied arguments to the
last seen2020-06-01
modified2020-06-02
plugin id23927
published2006-12-20
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23927
titlePHP-Update blog.php Variable Overwriting Arbitrary Code Execution
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(23927);
  script_version("1.19");

  script_cve_id("CVE-2006-6661");
  script_bugtraq_id(21658);
  script_xref(name:"EDB-ID", value:"2953");

  script_name(english:"PHP-Update blog.php Variable Overwriting Arbitrary Code Execution");
  script_summary(english:"Checks if variables can be overwritten with PHP-Update's blog.php");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a data
modification vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running PHP-Update, a content management system
written in PHP. 

The version of PHP-Update installed on the remote host fails to
sanitize user-supplied arguments to the 'blog.php' script before
importing them into the global symbol table.  By leveraging this flaw,
an unauthenticated, remote attacker can gain control of the application
and possibly execute arbitrary code on the remote host, subject to the
permissions of the web server user id." );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/12/20");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/12/19");
 script_cvs_date("Date: 2018/07/24 18:56:10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:php-update:php-update");
script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Loop through directories.
if (thorough_tests) dirs = list_uniq("/phpupdate", "/phpu", cgi_dirs());
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  init_cookiejar();
  erase_http_cookie(name: "blogcookie[user]");	# In case it already exists
  # If we can overwrite the variables, this request will set a cookie.
  r = http_send_recv3(method: "GET", 
    item: string(
      dir, "/blog.php?",
      "f=&",
      "newmessage=&",
      "newremember=1&",
      "adminuser=1&",
      "newusername=", SCRIPT_NAME
    ), 
    port:port
  );
  if (isnull(r)) exit(0);

  # There's a problem if we could set the user cookie.
  val = get_http_cookie(name: "blogcookie[user]");
  if (SCRIPT_NAME >< val) {
    security_hole(port);
    exit(0);
  }
}