Smart Publisher index.php filedata Parameter Arbitrary Command Execution

high Nessus Plugin ID 30124

Synopsis

The remote web server contains a PHP script that allows arbitrary command execution.

Description

The remote host is running Smart Publisher, an open source application for website publishing.

The version of Smart Publisher on the remote host fails to sanitize input to the 'filedata' parameter of the 'index.php' script before using it in an 'eval()' statement in the 'admin/op/disp.php' script to evaluate PHP code. An unauthenticated, remote attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges of the web server user id.

Solution

Upgrade to Smart Publisher 1.0.2 or later.

See Also

http://www.nessus.org/u?0ab01de3

Plugin Details

Severity: High

ID: 30124

File Name: smart_publisher_filedata_cmd_exec.nasl

Version: 1.21

Type: remote

Family: CGI abuses

Published: 1/29/2008

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:netwerk:smart_publisher

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploited by Nessus: true

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2008-0503

BID: 27488

CWE: 94