SQLiteManager confirm.php spaw_root Parameter Remote File Inclusion

medium Nessus Plugin ID 30131

Synopsis

The remote web server contains a PHP script that is susceptible to a remote file include attack.

Description

The remote host is running SQLiteManager, a web-based application for managing SQLite databases.

The version of SQLiteManager installed on the remote host fails to sanitize user-supplied input to the 'spaw_root' parameter of the 'spaw/dialogs/confirm.php' script before using it to include PHP code. Provided PHP's 'register_globals' setting is enabled, an unauthenticated, remote attacker can exploit this issue to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.

Solution

Unknown at this time.

Plugin Details

Severity: Medium

ID: 30131

File Name: sqlitemanager_spaw_root_file_include.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 1/30/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:sqlite_manager:sqlite_manager

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploitable With

Elliot (SQLiteManager 1.2.0 RFI)

Reference Information

CVE: CVE-2008-0516

BID: 27515

CWE: 94