Ignore me, false alert
[NOTE: The following is a false alert, so don't care about it...It was an error of OpenVas obviously....I'm sorry!]
Hi All,
I set up a Proxmox VE 1.8 environment, all default, with Shorewall firewall configured.
Then I updated it all (apt-get update and apt-get upgrade) and I scanned it deeply with a dedicated machine running the latest version of Openvas (vulnerability scanner).
I found out a high risk bug (it already exists a public exploit and it appears to lead to execution of arbitrary code on host machine):
BUG NAME: PHPGenealogie 'CoupleDB.php' remote file inclusion vulnerability
BUG DETAILS:
[TD="class: std"]Test ID:[/TD]
[TD="class: std"]1.3.6.1.4.1.25623.1.0.801008[/TD]
[TD="class: std"]Category:[/TD]
[TD="class: std"]Web application abuses[/TD]
[TD="class: std"]Title:[/TD]
[TD="class: std"]PHPGenealogie 'CoupleDB.php' Remote File Inclusion Vulnerability[/TD]
[TD="class: std"]Summary:[/TD]
[TD="class: std"]Check for the version and attack of PHPGenealogie[/TD]
[TD="class: std"]Description:[/TD]
[TD="class: std"] Overview: This host is running PHPGenealogie and is prone to Remote File
Inclusion vulnerability.
Vulnerability Insight:
The flaw is due to error in 'DataDirectory' parameter in 'CoupleDB.php' which
is not properly verified before being used to include files.
Impact:
Successful exploitation will let the attacker to execute arbitrary code on
the vulnerable Web server.
Impact level: Application/System
Affected Software/OS:
PHPGenealogie version 2.0
Fix: No solution or patch is available as on 07th October, 2009. Information
regarding this issue will be updated once the solution details are available.
For updates refer, http://sourceforge.net/projects/phpgenealogie/files/
References:
http://www.milw0rm.com/exploits/9155 http://xforce.iss.net/xforce/xfdb/51728
CVSS Score:
CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C
/I/A)
CVSS Temporal Score : 6.7
Risk factor: High[/TD]
[TD="class: std"]Cross-Ref:[/TD]
[TD="class: std"] Common Vulnerability Exposure (CVE) ID: CVE-2009-3541 http://www.milw0rm.com/exploits/9155 XForce ISS Database: phpgenealogy-datadirectory-file-include(51728) http://xforce.iss.net/xforce/xfdb/51728 [/TD]
[TD="class: std"]Copyright[/TD]
[TD="class: std"]Copyright (C) 2009 Greenbone Networks GmbH[/TD]
Did you know about this bug?
Is this as dangerous as Openvas says?
Do you think we can fix it? That PHPGenealogie unfortunately doesn't seem to be updated anymore
Thank you!
[NOTE: The following is a false alert, so don't care about it...It was an error of OpenVas obviously....I'm sorry!]
Hi All,
I set up a Proxmox VE 1.8 environment, all default, with Shorewall firewall configured.
Then I updated it all (apt-get update and apt-get upgrade) and I scanned it deeply with a dedicated machine running the latest version of Openvas (vulnerability scanner).
I found out a high risk bug (it already exists a public exploit and it appears to lead to execution of arbitrary code on host machine):
BUG NAME: PHPGenealogie 'CoupleDB.php' remote file inclusion vulnerability
BUG DETAILS:
[TD="class: std"]Test ID:[/TD]
[TD="class: std"]1.3.6.1.4.1.25623.1.0.801008[/TD]
[TD="class: std"]Category:[/TD]
[TD="class: std"]Web application abuses[/TD]
[TD="class: std"]Title:[/TD]
[TD="class: std"]PHPGenealogie 'CoupleDB.php' Remote File Inclusion Vulnerability[/TD]
[TD="class: std"]Summary:[/TD]
[TD="class: std"]Check for the version and attack of PHPGenealogie[/TD]
[TD="class: std"]Description:[/TD]
[TD="class: std"] Overview: This host is running PHPGenealogie and is prone to Remote File
Inclusion vulnerability.
Vulnerability Insight:
The flaw is due to error in 'DataDirectory' parameter in 'CoupleDB.php' which
is not properly verified before being used to include files.
Impact:
Successful exploitation will let the attacker to execute arbitrary code on
the vulnerable Web server.
Impact level: Application/System
Affected Software/OS:
PHPGenealogie version 2.0
Fix: No solution or patch is available as on 07th October, 2009. Information
regarding this issue will be updated once the solution details are available.
For updates refer, http://sourceforge.net/projects/phpgenealogie/files/
References:
http://www.milw0rm.com/exploits/9155 http://xforce.iss.net/xforce/xfdb/51728
CVSS Score:
CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C
/I/A)CVSS Temporal Score : 6.7
Risk factor: High[/TD]
[TD="class: std"]Cross-Ref:[/TD]
[TD="class: std"] Common Vulnerability Exposure (CVE) ID: CVE-2009-3541 http://www.milw0rm.com/exploits/9155 XForce ISS Database: phpgenealogy-datadirectory-file-include(51728) http://xforce.iss.net/xforce/xfdb/51728 [/TD]
[TD="class: std"]Copyright[/TD]
[TD="class: std"]Copyright (C) 2009 Greenbone Networks GmbH[/TD]
Did you know about this bug?
Is this as dangerous as Openvas says?
Do you think we can fix it? That PHPGenealogie unfortunately doesn't seem to be updated anymore
Thank you!
Last edited:
