Vortex Portal Content Management System Multiple Remote File Inclusion

Medium Nessus Network Monitor Plugin ID 2745

Synopsis

The remote host is vulnerable to a script injection attack.

Description

The remote host is running Vortex Portal, a content-management system for gaming. This version of Vortex is vulnerable to an 'include' file injection attack. Specifically, the 'act' variable of 'content.php' and 'index.php' is not properly sanitized by the Vortex application. An attacker exploiting this flaw would be able to include arbitrary malicious code within a URI. The attacker would then need to be able to convince a client to browse to the URI. A successful attack would result in the client browser executing malicious code within the context of the Vortex application.

Solution

Ensure that this application is allowed within corporate policies and guidelines.

Plugin Details

Severity: Medium

ID: 2745

Family: CGI

Published: 2005/03/23

Modified: 2018/09/16

Dependencies: 1442

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:U/RC:ND

CVSSv3

Base Score: 5.3

Temporal Score: 5.3

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS3#E:H/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:vortex_portal:vortex_portal

Reference Information

CVE: CVE-2005-0879

BID: 12878