X2Engine < 4.2 Multiple Vulnerabilities

high Nessus Plugin ID 81438

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

According to its version number, the X2Engine application installed on the remote web server is potentially affected by multiple vulnerabilities :

- A PHP object injection vulnerability exists which can be used to carry out Server-Side Request Forgery (SSRF) attacks using specially crafted serialized objects. An attacker can exploit this issue by sending a crafted serialized request via the 'report' HTTP POST parameter of the 'SiteController.php' script. (CVE-2014-5297)

- A file upload vulnerability exists in the script 'FileUploadsFilter.php' due to a case-sensitive file name check by the regex contained in the constant 'FileUploadsFilter::EXT_BLACKLIST'. An attacker, using a crafted file name with capital letters in the extension, can bypass file upload restrictions to load and execute arbitrary PHP scripts, provided the X2Engine is running under a case-insensitive file system or configuration.
(CVE-2014-5298)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 4.2 or later.

See Also

https://seclists.org/fulldisclosure/2014/Sep/77

https://seclists.org/fulldisclosure/2014/Sep/78

http://community.x2crm.com/index.php

https://github.com/X2Engine/X2CRM/blob/master/CHANGELOG.md

Plugin Details

Severity: High

ID: 81438

File Name: x2engine_4_2.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 2/23/2015

Updated: 5/28/2024

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:x2engine:x2engine

Required KB Items: www/PHP, installed_sw/X2Engine, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 9/3/2014

Vulnerability Publication Date: 9/23/2014

Reference Information

CVE: CVE-2014-5297, CVE-2014-5298

BID: 70080, 70081