FreeBSD : trac -- file upload/download vulnerability (b02c1d80-e1bb-11d9-b875-0001020eed82)

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Stefan Esser reports :

Trac's wiki and ticket systems allows to add attachments to wiki
entries and bug tracker tickets. These attachments are stored within
directories that are determined by the id of the corresponding ticket
or wiki entry.

Due to a missing validation of the id parameter it is possible for an
attacker to supply arbitrary paths to the upload and attachment viewer
scripts. This means that a potential attacker can retrieve any file
accessible by the webserver user.

Additionally it is possible to upload arbitrary files (up to a
configured file length) to any place the webserver has write access
too.

For obvious reasons this can lead to the execution of arbitrary code
if it possible to upload files to the document root or it's
subdirectories. One example of a configuration would be f.e. running
Trac and s9y/wordpress with writeable content directories on the same
webserver.

Another potential usage of this exploit would be to abuse Trac powered
webservers as storage for f.e. torrent files.

See also :

http://www.hardened-php.net/advisory-012005.php
http://projects.edgewall.com/trac/wiki/ChangeLog
http://www.nessus.org/u?9c68349d

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 5.6
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 19082 (freebsd_pkg_b02c1d80e1bb11d9b8750001020eed82.nasl)

Bugtraq ID: 13990

CVE ID: CVE-2005-2147

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now