PMOS Help Desk form.php Arbitrary Code Execution

high Nessus Plugin ID 29800

Language:

Synopsis

The remote web server contains a PHP script that is prone to an authentication bypass attack.

Description

The remote host is running PMOS Help Desk, an open source help desk application written in PHP.

The version of PMOS Help Desk installed on the remote host contains a design flaw that can be leveraged by a remote attacker to bypass authentication and make changes to the application's form template settings.

In addition, since the application passes values from several such settings to PHP 'eval()' functions, successful exploitation of this issue can lead to arbitrary command execution on the remote host, subject to the privileges under which the web server operates.

Solution

Upgrade to h2desk version 2.5 or later as that reportedly addresses the issue.

Plugin Details

Severity: High

ID: 29800

File Name: pmos_help_desk_cmd_exec.nasl

Version: 1.24

Type: remote

Family: CGI abuses

Published: 12/26/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:pmos_helpdesk:pmos_helpdesk

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploited by Nessus: true

Reference Information

CVE: CVE-2007-6550

BID: 27032

CWE: 94

SECUNIA: 28201

Detections

Analytics