Detections
Analytics

FreeBSD : trac -- file upload/download vulnerability (b02c1d80-e1bb-11d9-b875-0001020eed82)

medium Nessus Plugin ID 19082

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Stefan Esser reports :

Trac's wiki and ticket systems allows to add attachments to wiki entries and bug tracker tickets. These attachments are stored within directories that are determined by the id of the corresponding ticket or wiki entry.

Due to a missing validation of the id parameter it is possible for an attacker to supply arbitrary paths to the upload and attachment viewer scripts. This means that a potential attacker can retrieve any file accessible by the webserver user.

Additionally it is possible to upload arbitrary files (up to a configured file length) to any place the webserver has write access too.

For obvious reasons this can lead to the execution of arbitrary code if it possible to upload files to the document root or it's subdirectories. One example of a configuration would be f.e. running Trac and s9y/wordpress with writeable content directories on the same webserver.

Another potential usage of this exploit would be to abuse Trac powered webservers as storage for f.e. torrent files.

Solution

Update the affected package.

See Also

http://www.hardened-php.net/advisory-012005.php

https://www.edgewall.org/trac/wiki/ChangeLog

http://www.nessus.org/u?8b267131

Plugin Details

Severity: Medium

ID: 19082

File Name: freebsd_pkg_b02c1d80e1bb11d9b8750001020eed82.nasl

Version: 1.24

Type: local

Published: 7/13/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:trac, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 6/20/2005

Vulnerability Publication Date: 6/20/2005

Reference Information

CVE: CVE-2005-2147

BID: 13990