SiteBuilder-FX top.php admindir Parameter Remote File Inclusion

medium Nessus Plugin ID 21787

Language:

Synopsis

The remote web server contains a PHP application that is prone to a remote file include attack.

Description

The remote host is running SiteBuilder-FX, a web-based design system written in PHP.

The version of SiteBuilder-FX installed on the remote host fails to sanitize input to the 'admindir' parameter of the 'admin/top.php' script before using it to include PHP code. Regardless of the setting of PHP's 'register_globals', an unauthenticated attacker may be able to exploit these flaws to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.

Solution

Unknown at this time.

Plugin Details

Severity: Medium

ID: 21787

File Name: sitebuilder_admindir_file_include.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 7/2/2006

Updated: 4/11/2022

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Vulnerability Publication Date: 7/3/2006

Reference Information

CVE: CVE-2006-3395

BID: 18756

Detections

Analytics