KnowledgeBuilder index.php PHP file include (HTTP_KnowledgeBuilder_CodeExecution)

About this signature or vulnerability

Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, RealSecure Network, RealSecure Server Sensor, BlackICE Agent for Server:

This signature searches for knowledge builder script execution requests which could result in execution of malicious script execution on the victims server.


False positives

Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, RealSecure Network, RealSecure Server Sensor, BlackICE Agent for Server: If legitimate php scripts using knowledge builder page references with absolute urls (as apposed to relative urls).

False negatives

Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, RealSecure Network, RealSecure Server Sensor, BlackICE Agent for Server: If the knowledge builder configuration deviates from usual setups where knowledge builder php pages are stored in a /kb/ subdirectory this signature will fail to fire.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network MFS: XPU 1.8, Proventia-G 1.1 and earlier: XPU 22.10, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, RealSecure Network: XPU 22.10, RealSecure Server Sensor: XPU 22.10, BlackICE Agent for Server: 3.6eof

Systems affected

ActiveCampaign KnowledgeBuilder

Type

Unauthorized Access Attempt

Vulnerability description

KnowledgeBuilder could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the ?page variable of the index.php script that specifies a malicious file from a remote system as a parameter, which would allow the attacker to execute code on the vulnerable system.

How to remove this vulnerability

No remedy available as of December 2003.

References

BugTraq Mailing List, Wed Dec 24 2003 - 07:45:22 CST
Remote Code Execution in Knowledge Builder.
http://archives.neohapsis.com/archives/bugtraq/2003-12/0321.html

KnowledgeBuilder Web page
KnowledgeBuilder - Powerful PHP KnowledgeBase Solution
http://www.activecampaign.com/kb/

ISS X-Force
KnowledgeBuilder index.php PHP file include
http://www.iss.net/security_center/static/14078.php

CVE
CVE-2003-1131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1131