File: basilix_webmail.nasl

package info (click to toggle)
nessus-plugins 2.2.8-1.1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 15,508 kB
  • ctags: 251
  • sloc: sh: 8,346; ansic: 4,452; pascal: 3,089; perl: 704; makefile: 172; php: 1
file content (90 lines) | stat: -rw-r--r-- 2,265 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#
# This script was written by Michel Arboi <arboi@alussinan.org>
#
# GPL
#
# References:
# From: "karol _" <su@poczta.arena.pl>
# To: bugtraq@securityfocus.com
# CC: arslanm@Bilkent.EDU.TR
# Date: Fri, 06 Jul 2001 21:04:55 +0200
# Subject: basilix bug
#


if(description)
{
 script_id(11072);
 script_bugtraq_id(2995);
 script_version ("$Revision: 1.12 $");
 script_cve_id("CVE-2001-1045");
 name["english"] = "Basilix Webmail Dummy Request Vulnerability";
 script_name(english:name["english"]);

 desc["english"] = "
Synopsis :

The remote web server contains a PHP script that is prone to information
disclosure. 

Description :

The script 'basilix.php3' is installed on the remote web server.  Some
versions of this webmail software allow the users to read any file on
the system with the permission of the webmail software, and execute any
PHP. 

See also :

http://archives.neohapsis.com/archives/bugtraq/2001-07/0114.html

Solution : 

Update Basilix or remove DUMMY from lang.inc.

Risk factor : 

Low / CVSS Base Score : 2 
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)";
 script_description(english:desc["english"]);
 
 summary["english"] = "Checks for the presence of basilix.php3";
 
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO); 

 script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
 family["english"] = "CGI abuses";
 script_family(english:family["english"]);

 script_dependencies("http_version.nasl", "logins.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("imap/login", "imap/password");

 exit(0);
}


include("http_func.inc");
include("http_keepalive.inc");
include("global_settings.inc");

if ( report_paranoia < 2 ) exit(0);


port = get_http_port(default:80);
if (!get_port_state(port)) exit(0);
if (!can_host_php(port:port)) exit(0);


user = get_kb_item("imap/login");
pass = get_kb_item("imap/password");
if (!user || !pass) {
  if (log_verbosity > 1) display("imap/login and/or imap/password are empty; ", SCRIPT_NAME, " skipped!\n");
  exit(1);
}


url=string("/basilix.php3?request_id[DUMMY]=../../../../../../../../../etc/passwd&RequestID=DUMMY&username=", user, "&password=", pass);
if(is_cgi_installed_ka(port:port, item:url)){ security_note(port); exit(0); }