MediumProventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature searches for knowledge builder script execution requests which could result in execution of malicious script execution on the victims server.
Proventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: If legitimate php scripts using knowledge builder page references with absolute urls (as apposed to relative urls).
Proventia Network MFS, IBM Security Server Protection for Windows, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: If the knowledge builder configuration deviates from usual setups where knowledge builder php pages are stored in a /kb/ subdirectory this signature will fail to fire.
Medium
Proventia Network MFS: XPU 1.8, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia-G 1.1 and earlier: XPU 22.10, Proventia Network IDS: XPU 22.10, Proventia Desktop: 8.0.614.1, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, BlackICE Agent for Server: 3.6eof, RealSecure Network: XPU 22.10, RealSecure Server Sensor: XPU 22.10, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0
ActiveCampaign KnowledgeBuilder
Unauthorized Access Attempt
KnowledgeBuilder could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the ?page variable of the index.php script that specifies a malicious file from a remote system as a parameter, which would allow the attacker to execute code on the vulnerable system.
No remedy available as of September 4, 2010.
BugTraq Mailing List, Wed Dec 24 2003 - 07:45:22 CST
Remote Code Execution in Knowledge Builder.
http://archives.neohapsis.com/archives/bugtraq/2003-12/0321.html
KnowledgeBuilder Web page
KnowledgeBuilder - Powerful PHP KnowledgeBase Solution
http://www.activecampaign.com/kb/
ISS X-Force
KnowledgeBuilder index.php PHP file include
http://www.iss.net/security_center/static/14078.php
CVE
CVE-2003-1131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1131