Detections
Analytics

WebGUI < 6.7.6 Asset.pm Asset Addition Arbitrary Code Execution

high Nessus Plugin ID 20014

Language:

Synopsis

The remote web server contains a CGI script that is prone to arbitrary code execution.

Description

The remote host is running WebGUI, a content management system from Plain Black Software.

The installed version of WebGUI on the remote host fails to sanitize user-supplied input via the 'class' variable to various sources before using it to run commands. By leveraging this flaw, an attacker may be able to execute arbitrary commands on the remote host within the context of the affected web server userid.

Solution

Upgrade to WebGUI 6.7.6 or later.

See Also

http://www.nessus.org/u?37c9ea6b

Plugin Details

Severity: High

ID: 20014

File Name: webgui_remote_cmd_exec.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 10/17/2005

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:plain_black:webgui

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 10/12/2005

Reference Information

CVE: CVE-2005-4694

BID: 15083