Jinzora Multiple Script include_path Parameter Remote File Inclusion (2)

medium Nessus Plugin ID 18653

Synopsis

The remote web server contains a PHP application that is affected by multiple remote file include issues.

Description

The remote host is running Jinzora, a web-based media streaming and management system written in PHP.

The installed version of Jinzora allows remote attackers to control the 'include_path' variable used when including PHP code in several of the application's scripts. Provided PHP's 'register_globals' setting is enabled, an attacker may be able to leverage these issues to view arbitrary files on the remote host and execute arbitrary PHP code, possibly taken from third-party hosts.

Solution

Upgrade to Jinzora version 2.2 or later.

See Also

http://freshmeat.sourceforge.net/projects/jinzora/?branch_id=43140&release_id=204535

Plugin Details

Severity: Medium

ID: 18653

File Name: jinzora_includepath_file_includes.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 7/8/2005

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 6/30/2005

Reference Information

CVE: CVE-2005-2249

BID: 14188