Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
dotproject file includes.nasl
dennis.jackson at ndirect
Jun 18, 2008, 1:02 AM
Post #1 of 2 (3906 views)
Permalink
dotproject_file_includes.nasl

We have seen probes to a web server trying to exploit the remote file
include vulnerability in db_adodb.php. The URLs that are being tried are:

/db_adodb.php
/dotproject/includes/db_adodb.php
/includes/db_adodb.php
/project/includes/db_adodb.php
/projects/includes/db_adodb.php

I don't know if these are all valid location for db_adodb.php. But, it looks
like dotproject_file_includes.nasl doesn't try the first of these URLs.

These probes also try an identical remote file include (using baseDir)
against another php routine - query.class.php. The specific URLs tried are:

/classes/query.class.php
/dotproject/classes/query.class.php
/proj/classes/query.class.php
/project/classes/query.class.php

There isn't a plugin that checks for query.class.php. This vulnerability is
documented as Bugtraq ID: 19547. Should the check for this php routine be
added to dotproject_file_includes.nasl or should it be a separate plugin?
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: dotproject_file_includes.nasl [ In reply to ]
theall at tenablesecurity
Jun 18, 2008, 6:58 AM
Post #2 of 2 (3774 views)
Permalink
On Jun 18, 2008, at 4:02 AM, dennis jackson wrote:

> dotproject_file_includes.nasl
>
> We have seen probes to a web server trying to exploit the remote file
> include vulnerability in db_adodb.php. The URLs that are being tried
> are:
>
> /db_adodb.php
...
> I don't know if these are all valid location for db_adodb.php. But,
> it looks
> like dotproject_file_includes.nasl doesn't try the first of these
> URLs.

I don't think it is. The affected file only appears in the 'includes'
directory with 2.0.1 and 2.0.4. And I don't see any evidence of it
elsewhere browsing the project's SVN repository on SourceForge.

> These probes also try an identical remote file include (using baseDir)
> against another php routine - query.class.php.
...
> There isn't a plugin that checks for query.class.php. This
> vulnerability is
> documented as Bugtraq ID: 19547. Should the check for this php
> routine be
> added to dotproject_file_includes.nasl or should it be a separate
> plugin?

While the plugin does not check for the issue explicitly, it does
indirectly - the project team responded to the first issue not by
fixing the code but rather by advising people to turn off
register_globals. So rather than testing for the issue in
query.class.php or the 9 other scripts that were reported affected
along with db_adodb.php, we've opted to only check for one script.

Btw, the plugin does indeed reference 19547.

George
--
theall@tenablesecurity.com



_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal