[Openvas-commits] r1596 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue Oct 21 16:25:42 CEST 2008
Author: chandra
Date: 2008-10-21 16:25:40 +0200 (Tue, 21 Oct 2008)
New Revision: 1596
Added:
trunk/openvas-plugins/scripts/gb_adobe_flash_cs3_swf_proc_bof_vuln.nasl
trunk/openvas-plugins/scripts/gb_adobe_flash_player_detect_lin.nasl
trunk/openvas-plugins/scripts/gb_guildftpd_heap_bof_vuln.nasl
trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_lin.nasl
trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_win.nasl
trunk/openvas-plugins/scripts/gb_phpwebgallery_mult_vuln_oct08.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/gb_adobe_flash_player_sec_bypass_vuln_lin.nasl
trunk/openvas-plugins/scripts/gb_firefox_url_file_info_dis_vuln.nasl
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/ChangeLog 2008-10-21 14:25:40 UTC (rev 1596)
@@ -1,3 +1,18 @@
+2008-10-21 Chandrashekhar B <bchandra at secod.com>
+ * scripts/gb_adobe_flash_player_detect_lin.nasl,
+ scripts/gb_hp_sim_unauth_access_vuln_lin.nasl,
+ scripts/gb_adobe_flash_cs3_swf_proc_bof_vuln.nasl,
+ scripts/gb_hp_sim_unauth_access_vuln_win.nasl,
+ scripts/gb_guildftpd_heap_bof_vuln.nasl,
+ scripts/gb_phpwebgallery_mult_vuln_oct08.nasl:
+ Added new plugins
+
+ * scripts/gb_firefox_url_file_info_dis_vuln.nasl:
+ Updated description
+
+ * scripts/gb_adobe_flash_player_sec_bypass_vuln_lin.nasl:
+ Calling through detect plugin, does better detection
+
2008-10-21 Chandrashekhar B <bchandra at secpod.com>
* scripts/secpod_hummingbird_activex_bof_vuln_900159.nasl,
scripts/secpod_xm_easy_personal_ftpserver_dos_vuln_900158.nasl:
Added: trunk/openvas-plugins/scripts/gb_adobe_flash_cs3_swf_proc_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_adobe_flash_cs3_swf_proc_bof_vuln.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_adobe_flash_cs3_swf_proc_bof_vuln.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_adobe_flash_cs3_swf_proc_bof_vuln.nasl 368 2008-10-21 15:35:47Z oct $
+#
+# Adobe Flash CS3 SWF Processing Buffer Overflow Vulnerabilities
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800035);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-4473");
+ script_bugtraq_id(31769);
+ script_name(english:"Adobe Flash CS3 SWF Processing Buffer Overflow Vulnerabilities");
+ desc["english"] = "
+
+ Overview: This host is installed with Adobe Flash CS3 and is prone to buffer
+ overflow vulnerabilities.
+
+ Vulnerability Insight:
+ The issues are caused due to boundary errors while processing overly long SWF
+ control parameters.
+
+ Impact:
+ Successful exploitation could allow remote attackers to cause heap based
+ buffer overflows via specially crafted SWF files.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Adobe Flash CS3 Professional on Windows.
+
+ Fix: Upgrade to Adobe Flash CS4 Professional
+ http://www.adobe.com/downloads/
+
+ References:
+ http://www.adobe.com/support/security/advisories/apsa08-09.html
+
+ CVSS Score:
+ CVSS Base Score : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+ CVSS Temporal Score : 6.1
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the Version of Adobe Flash Creative Suite");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+uninstall = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+keys = registry_enum_keys(key:uninstall);
+foreach key (keys)
+{
+ adobeName = registry_get_sz(key:uninstall + key, item:"DisplayName");
+ if("Adobe Flash CS3 Professional" >< adobeName){
+ security_hole(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/gb_adobe_flash_player_detect_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_adobe_flash_player_detect_lin.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_adobe_flash_player_detect_lin.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_adobe_flash_player_detect_lin.nasl 320 2008-10-21 09:42:59Z oct $
+#
+# Adobe Flash Player Version Detection (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800032);
+ script_version("$Revision: 1.0 $");
+ script_name(english:"Adobe Flash Player Version Detection (Linux)");
+ desc["english"] = "
+ Overview: This script detects the version from binary file(s) and sets
+ the Adobe Flash Player version in the KB.
+
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Set KB for the version of Adobe Flash Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"General");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+grep = find_bin(prog_name:"grep", sock:sock);
+grep = chomp(grep[0]);
+
+garg[0] = "-o";
+garg[1] = "-m1";
+garg[2] = "-a";
+garg[3] = string("[0-9]\\+,[0-9]\\+,[0-9]\\+,[0-9]\\+");
+
+flashName = find_file(file_name:"libflashplayer.so", file_path:"/",
+ useregex:TRUE, regexpar:"$", sock:sock);
+foreach binaryName (flashName)
+{
+ binaryName = chomp(binaryName);
+ if(islocalhost())
+ {
+ garg[4] = binaryName;
+ arg = garg;
+ }
+ else
+ {
+ arg = garg[0]+" "+garg[1]+" "+garg[2]+" "+
+ raw_string(0x22)+garg[3]+raw_string(0x22)+" "+binaryName;
+ }
+
+ flashVer = get_bin_version(full_prog_name:grep, version_argv:arg,
+ ver_pattern:"([0-9]+,[0-9]+,[0-9]+,[0-9]+)");
+ if(flashVer)
+ {
+ set_kb_item(name:"AdobeFlashPlayer/Linux/Ver", value:flashVer[0]);
+ ssh_close_connection();
+ exit(0);
+ }
+}
+ssh_close_connection();
Modified: trunk/openvas-plugins/scripts/gb_adobe_flash_player_sec_bypass_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_adobe_flash_player_sec_bypass_vuln_lin.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_adobe_flash_player_sec_bypass_vuln_lin.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -37,10 +37,10 @@
multiple security bypass vulnerabilities.
Vulnerability Insight: The flaws are due to,
- - a design error in the application allows access to the system's
+ - a design error in the application that allows access to the system's
camera and microphone by tricking the user into clicking Flash Player
access control dialogs disguised as normal graphical elements.
- - FileReference.browse() and FileReference.download() methods can be
+ - FileReference.browse() and FileReference.download() methods which can be
called without user interaction and can potentially be used
to trick a user into downloading or uploading files.
@@ -71,32 +71,15 @@
script_category(ACT_GATHER_INFO);
script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
script_family(english:"Misc.");
+ script_dependencies("gb_adobe_flash_player_detect_lin.nasl");
exit(0);
}
include("version_func.inc");
-sock = ssh_login_or_reuse_connection();
-if(!sock){
- exit(0);
+# Grep for versions 9.0.124.0 and prior
+if(version_in_range(version:get_kb_item("AdobeFlashPlayer/Linux/Ver"),
+ test_version:"9.0", test_version2:"9.0.124.0")){
+ security_warning(0);
}
-
-flashName = find_file(file_name:"plugins/libflashplayer.so", file_path:"/",
- useregex:TRUE, regexpar:"$", sock:sock);
-foreach binary_flashName (flashName)
-{
- # Grep for versions 9.0.124.0 and prior
- flashVer = ssh_cmd(socket:sock, timeout:60,
- cmd:"grep -irE 'LNX ([0-8]\,.*|9,0,([01]?[0-9]?[0-9]|" +
- "1[01][0-9]|12[0-4]),0)' " +
- chomp(binary_flashName));
-
- if(flashVer =~ "Binary file .* matches")
- {
- security_warning(0);
- ssh_close_connection();
- exit(0);
- }
-}
-ssh_close_connection();
Modified: trunk/openvas-plugins/scripts/gb_firefox_url_file_info_dis_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_firefox_url_file_info_dis_vuln.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_firefox_url_file_info_dis_vuln.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -37,10 +37,13 @@
to information disclosure vulnerability.
Vulnerability Insight:
- Issue is caused due an error when processing .url shortcuts in HTML elements.
+ The Browser does not properly identify the context of Windows .url shortcut
+ files, which allows remote attackers to bypass the Same Origin Policy and
+ obtain sensitive information via an HTML document that is directly accessible
+ through a filesystem.
Impact: Successful remote exploitation could result in disclosure of sensitive
- information from the cache.
+ information.
Impact Level: System
Added: trunk/openvas-plugins/scripts/gb_guildftpd_heap_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_guildftpd_heap_bof_vuln.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_guildftpd_heap_bof_vuln.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -0,0 +1,137 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_guildftpd_heap_bof_vuln.nasl 0345 2008-10-21 10:37:32Z oct $
+#
+# GuildFTPd CWD and LIST Command Heap Overflow Vulnerability
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800114);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-4572");
+ script_bugtraq_id(31729);
+ script_name(english:"GuildFTPd CWD and LIST Command Heap Overflow Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is running GuildFTPd FTP Server which is prone to Heap
+ Overflow Vulnerability.
+
+ Vulnerability Insight:
+ The flaw exists due to boundary error while processing malformed arguments
+ passed to a CWD and LIST commands.
+
+ Impact:
+ Successful exploitation allows attackers to execute arbitrary code through
+ specially crafted CWD and LIST command, which can also crash the affected
+ application.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ GuildFTPd Version 0.999.14 and prior on Windows (Any).
+
+ Fix: No solution/patch is available as on 21st October, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://www.guildftpd.com/
+
+ References:
+ http://milw0rm.com/exploits/6738
+ http://secunia.com/advisories/32218/
+ http://www.frsirt.com/english/advisories/2008/2794
+
+ CVSS Score:
+ CVSS Base Score : 6.3 (AV:N/AC:M/Au:SI/C:N/I:N/A:C)
+ CVSS Temporal Score : 5.7
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of GuildFTPd Server");
+ script_category(ACT_MIXED_ATTACK);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Denial of Service");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+
+include("ftp_func.inc");
+include("version_func.inc");
+
+port = get_kb_item("Services/ftp");
+if(!port){
+ port = 21;
+}
+
+if(!get_port_state(port)){
+ exit(0);
+}
+
+soc = open_sock_tcp(port);
+if(!soc){
+ exit(0);
+}
+
+banner = recv(socket:soc, length:1024);
+if("GuildFTPd" >!< banner)
+{
+ close(soc);
+ exit(0);
+}
+
+if(safe_checks())
+{
+ guildVer = eregmatch(pattern:"Version ([0-9.]+)", string:banner);
+ if(guildVer != NULL)
+ {
+ # Check for GuildFTPd Version <= 0.999.14
+ if(version_is_less_equal(version:guildVer[1], test_version:"0.999.14")){
+ security_hole(port);
+ }
+ }
+ close(soc);
+ exit(0);
+}
+
+if(ftp_authenticate(socket:soc, user:"anonymous", pass:"anonymous"))
+{
+ send(socket:soc, data:string("cwd ", crap(data:"/.", length:200), "\n"));
+ recv(socket:soc, length:1024);
+
+ send(socket:soc, data:string("list ", crap(data:"X", length:100), "\r\n"));
+ recv(socket:soc, length:1024);
+
+ sleep(10);
+ close(soc);
+
+ soc = open_sock_tcp(port);
+
+ if(!recv(socket:soc, length:1024))
+ {
+ security_note(data:string("GuildFTPd Server service has been crashed on the" +
+ "system.\nRestart the service to resume normal operations."),
+ port:port);
+ security_hole(port);
+ }
+ close(soc);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_guildftpd_heap_bof_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_lin.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_lin.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_hp_sim_unauth_access_vuln_lin.nasl 350 2008-10-21 13:32:52Z oct $
+#
+# HP Systems Insight Manager Unauthorized Access Vulnerability (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800034);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-4412");
+ script_bugtraq_id(31777);
+ script_name(english:"HP Systems Insight Manager Unauthorized Access Vulnerability (Linux)");
+ desc["english"] = "
+
+ Overview: This host is running HP Systems Insight Manager (SIM) and is prone
+ to security bypass vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error in the application which allows unauthorized
+ access to certain data.
+
+ Impact:
+ Successful exploitation could allow remote attackers to gain unauthorized
+ access to the data.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ HP SIM prior to 5.2 with Update 2 (C.05.02.02.00) on Linux
+
+ Fix: Update to HP SIM version 5.2 with Update 2 (C.05.02.02.00)
+ http://h20392.www2.hp.com/portal/swdepot/index.do
+
+ References:
+ http://secunia.com/advisories/32287/
+ http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01571962
+
+ CVSS Score:
+ CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
+ CVSS Temporal Score : 3.7
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of HP SIM");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+port = 50000;;
+if(!port){
+ exit(0);
+}
+
+if(!get_port_state(port)){
+ exit(0);
+}
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+simName = find_file(file_name:"mxversion", file_path:"/", useregex:TRUE,
+ regexpar:"$", sock:sock);
+foreach binaryName(simName)
+{
+ simVer = get_bin_version(full_prog_name:chomp(binaryName), sock:sock,
+ ver_pattern:"Linux ([^ ]+)");
+ if(simVer)
+ {
+ # Grep for versions prior to 5.2 with update 2 (C.05.02.02.00)
+ if(version_is_less(version:simVer[1], test_version:"C.05.02.02.00"))
+ {
+ security_warning(port);
+ ssh_close_connection();
+ exit(0);
+ }
+ }
+}
+ssh_close_connection();
Added: trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_win.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_hp_sim_unauth_access_vuln_win.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -0,0 +1,101 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_hp_sim_unauth_access_vuln_win.nasl 350 2008-10-21 11:45:03Z oct $
+#
+# HP Systems Insight Manager Unauthorized Access Vulnerability (Win)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800033);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-4412");
+ script_bugtraq_id(31777);
+ script_name(english:"HP Systems Insight Manager Unauthorized Access Vulnerability (Win)");
+ desc["english"] = "
+
+ Overview: This host is running HP Systems Insight Manager (SIM) and is prone
+ to security bypass vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error in the application which allows
+ unauthorized access to certain data.
+
+ Impact:
+ Successful exploitation could allow remote attackers to gain unauthorized
+ access to the data.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ HP SIM prior to 5.2 with Update 2 (C.05.02.02.00) on Windows
+
+ Fix: Update to HP SIM version 5.2 with Update 2 (C.05.02.02.00)
+ http://h20392.www2.hp.com/portal/swdepot/index.do
+
+ References:
+ http://secunia.com/advisories/32287/
+ http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01571962
+
+ CVSS Score:
+ CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
+ CVSS Temporal Score : 3.7
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of HP SIM");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("http_func.inc");
+include("version_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+port = 50000;
+if(!port){
+ exit(0);
+}
+
+if(!get_port_state(port)){
+ exit(0);
+}
+
+simVer = registry_get_sz(item:"Version",
+ key:"SOFTWARE\Hewlett-Packard\Systems Insight Manager\Settings");
+if(!simVer){
+ exit(0);
+}
+
+# Grep for versions prior to 5.2 with update 2 (C.05.02.02.00)
+if(version_is_less(version:simVer, test_version:"C.05.02.02.00")){
+ security_warning(port);
+}
Added: trunk/openvas-plugins/scripts/gb_phpwebgallery_mult_vuln_oct08.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpwebgallery_mult_vuln_oct08.nasl 2008-10-21 14:06:22 UTC (rev 1595)
+++ trunk/openvas-plugins/scripts/gb_phpwebgallery_mult_vuln_oct08.nasl 2008-10-21 14:25:40 UTC (rev 1596)
@@ -0,0 +1,120 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_phpwebgallery_mult_vuln_oct08.nasl 352 2008-10-20 16:16:24Z oct $
+#
+# Multiple XSS Vulnerabilities in PHPWebGallery - Oct08
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800115);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-4591");
+ script_name(english:"Multiple XSS Vulnerabilities in PHPWebGallery - Oct08");
+ desc["english"] = "
+
+ Overview: The host is running PHPWebGallery which is prone to multiple
+ XSS and script inclusion Vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to improper validation of input data to parameters
+ in isadmin.inc.php file, which allow remote attackers to inject arbitrary
+ web script via lang[access_forbiden] and lang[ident_title] parameters.
+
+ Impact:
+ Successful attack could lead to execution of arbitrary HTML or scripting
+ code in the security context of an affected web page.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ PHPWebGallery Version 1.3.4 and prior on all running platform.
+
+ Fix: No solution/patch is available as on 21st October, 2008. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://download.gna.org/phpwebgallery/
+
+ References:
+ http://www.milw0rm.com/exploits/6425
+
+ CVSS Score:
+ CVSS Base Score : 5.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:N)
+ CVSS Temporal Score : 5.2
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the Version of PHPWebGallery");
+ script_category(ACT_MIXED_ATTACK);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"CGI abuses : XSS");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+dirs = make_list("/phpwebgallery", cgi_dirs());
+foreach dir (dirs)
+{
+ url = dir + "/category.php";
+ sndReq = http_get(item:url, port:port);
+ rcvRes = http_keepalive_send_recv(port:port,data:sndReq,bodyonly:1);
+
+ if(rcvRes == NULL){
+ exit(0);
+ }
+
+ if(rcvRes =~ "Powered by.+PhpWebGallery")
+ {
+ if(safe_checks())
+ {
+ rcvRes = eregmatch(pattern:"PhpWebGallery.+ ([0-9.]+)", string:rcvRes);
+ if(rcvRes != NULL)
+ {
+ if(version_is_less_equal(version:rcvRes[1], test_version:"1.3.4")){
+ security_hole(port);
+ }
+ }
+ exit(0);
+ }
+ url = dir + "/admin/include/isadmin.inc.php?lang[access_forbiden]="+
+ "<script>alert(document.cookie);</script>";
+ sndReq = http_get(item:url, port:port);
+ rcvRes = http_keepalive_send_recv(port:port,data:sndReq,bodyonly:1);
+ if(rcvRes == NULL){
+ exit(0);
+ }
+
+ if("<script>alert(document.cookie);</script>" >< rcvRes){
+ security_hole(port);
+ }
+ exit(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_phpwebgallery_mult_vuln_oct08.nasl
___________________________________________________________________
Name: svn:executable
+ *
More information about the Openvas-commits
mailing list