phpListPro Multiple Script returnpath Parameter Remote File Inclusions

high Nessus Plugin ID 21310

Synopsis

The remote web server contains a PHP application that is affected by remote file include vulnerabilities.

Description

The remote host is running phpListPro, a website voting/ranking tool written in PHP.

The installed version of phpListPro fails to sanitize user input to the 'returnpath' parameter of the 'config.php', 'editsite.php', 'addsite.php', and 'in.php' scripts before using it to include PHP code from other files. An unauthenticated attacker may be able to read arbitrary local files or include a file from a remote host that contains commands which will be executed on the remote host subject to the privileges of the web server process.

These flaws are only exploitable if PHP's 'register_globals' is enabled.

Solution

Edit the affected files as discussed in the vendor advisory above.

See Also

https://seclists.org/bugtraq/2006/Apr/204

https://seclists.org/bugtraq/2006/May/152

https://seclists.org/bugtraq/2006/May/198

http://www.nessus.org/u?99ab22fb

Plugin Details

Severity: High

ID: 21310

File Name: phplistpro_remote_file_include.nasl

Version: 1.24

Type: remote

Family: CGI abuses

Published: 5/3/2006

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:tincan:phplist

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploited by Nessus: true

Vulnerability Publication Date: 4/11/2006

Reference Information

CVE: CVE-2006-1749, CVE-2006-2323

BID: 17448