PHP Advanced Transfer Manager <= 1.30 Multiple Vulnerabilities

medium Nessus Plugin ID 19768

Synopsis

The remote web server contains a PHP script that suffers from cross- site scripting and information disclosure vulnerabilities.

Description

The version of PHP Advanced Transfer Manager on the remote host suffers from multiple information disclosure and cross-site scripting flaws. For example, by calling a text or HTML viewer directly, an unauthenticated attacker can view arbitrary files, provided PHP's 'register_globals' setting is enabled. In addition, it may allow anyone to directly retrieve users' configuration files, with encrypted password hashes as well as the application's 'test.php' script, which reveals information about the configuration of PHP on the remote host. And finally, it fails to adequately filter arbitrary HTML and script code before using it in dynamically-generated pages.

Solution

Disable PHP's 'register_globals' setting, remove the 'test.php' script, and prevent direct access to the 'users' directory.

See Also

http://www.nessus.org/u?7e209b1d

Plugin Details

Severity: Medium

ID: 19768

File Name: phpatm_130.nasl

Version: 1.21

Type: remote

Family: CGI abuses

Published: 9/21/2005

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:bugada_andrea:php_advanced_transfer_manager

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

BID: 14883, 14887, 15074, 15237

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990