eFiction < 2.0.2 Multiple Remote Vulnerabilities (SQLi, XSS, Disc)

high Nessus Plugin ID 20349

Synopsis

The remote web server has a PHP application that is affected by multiple flaws.

Description

The remote host is running eFiction, an open source application in PHP for writers.

The installed version of eFiction is affected by numerous flaws :

- Members may be able to upload files containing arbitrary PHP code disguised as image files and then run that code on the remote host subject to the privileges of the web server user id. If an attacker does not yet have access, he can register and have a password mailed to him automatically.

- User-supplied input to several parameters and scripts is used without sanitation, which can lead to SQL injection attacks provided PHP's 'magic_quotes_gpc' is disabled.
These issues can be exploited, for example, to bypass authentication or disclose sensitive information.

- User-supplied input to the 'let' parameter of the 'titles.php' script is not sanitized before being used in dynamically-generated web pages, which leads to cross-site scripting attacks.

- An unauthenticated attacker may be able to gain information about the installation and configuration of PHP on the remote host by requesting the 'phpinfo.php' script or to learn the install path by a direct request to the 'storyblock.php' script with no arguments.

- Unauthenticated attackers may be able to access the 'install.php' and/or 'upgrade.php' scripts and thereby modify the installation on the remote host.

Solution

Upgrade to eFiction 2.0.2 or later.

See Also

https://seclists.org/bugtraq/2005/Nov/302

Plugin Details

Severity: High

ID: 20349

File Name: efiction_202.nasl

Version: 1.31

Type: remote

Family: CGI abuses

Published: 12/29/2005

Updated: 4/7/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2005-4168

Vulnerability Information

CPE: cpe:/a:efiction_project:efiction

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 11/25/2005

Reference Information

CVE: CVE-2005-4167, CVE-2005-4168, CVE-2005-4169, CVE-2005-4170, CVE-2005-4171, CVE-2005-4172, CVE-2005-4173, CVE-2005-4174

BID: 15568

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990