[Openvas-commits] r1276 - trunk/openvas-plugins/scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue Sep 2 16:25:08 CEST 2008
Author: chandra
Date: 2008-09-02 16:25:07 +0200 (Tue, 02 Sep 2008)
New Revision: 1276
Added:
trunk/openvas-plugins/scripts/secpod_dotproject_mult_xss_n_sql_inj_vuln_900116.nasl
trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_linux_900210.nasl
trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_win_900209.nasl
Log:
Added new plugins
Added: trunk/openvas-plugins/scripts/secpod_dotproject_mult_xss_n_sql_inj_vuln_900116.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_dotproject_mult_xss_n_sql_inj_vuln_900116.nasl 2008-09-02 10:57:38 UTC (rev 1275)
+++ trunk/openvas-plugins/scripts/secpod_dotproject_mult_xss_n_sql_inj_vuln_900116.nasl 2008-09-02 14:25:07 UTC (rev 1276)
@@ -0,0 +1,118 @@
+##############################################################################
+#
+# dotProject Multiple XSS and SQL Injection Vulnerabilities
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/02
+#
+# Revision: 1.1
+#
+# Log: ssharath
+# Issue #0158
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+ script_id(900116);
+ script_bugtraq_id(30924);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_name(english:"dotProject Multiple XSS and SQL Injection Vulnerabilities");
+ script_summary(english:"Check for the vulnerable version of dotProject");
+ desc["english"] = "
+ Overview : The host is running dotProject, which is prone to multiple Cross
+ Site Scripting and SQL injection vulnerabilities.
+
+ Vulnerability Insight :
+ The flaws exists due to,
+ - improper sanitisation of input value passed to inactive, date,
+ calendar, callback and day_view, public, dialog and ticketsmith
+ parameters in index.php before being returned to the user.
+ - failing to validate the input passed to the tab and user_id parameter
+ in index.php file, before being used in SQL queries.
+
+ Impact: Successful exploitation will allow attackers to steal cookie
+ based authentication credentials of user and administrator, and can
+ also execute arbitrary code in the browser of an unsuspecting user
+ in the context of an affected site.
+
+ Impact Level : Application
+
+ Affected Software/OS:
+ dotProject version 2.1.2 and prior on all platform.
+
+ Fix : No solution/patch is available as on 02nd September, 2008. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates check, http://www.dotproject.net/
+
+ References : http://secunia.com/advisories/31681/
+ http://packetstorm.linuxsecurity.com/0808-exploits/dotproject-sqlxss.txt
+
+ CVSS Score :
+ CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:C/I:N/A:N)
+ CVSS Temporal Score : 6.4
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+ include("http_func.inc");
+ include("http_keepalive.inc");
+
+ port = get_http_port(default:80);
+ if(!port){
+ exit(0);
+ }
+
+ foreach path (make_list("/xampp/dotproject_2_1_2/dotproject", cgi_dirs()))
+ {
+ sndReq = http_get(item:string(path, "/index.php"), port:port);
+ rcvRes = http_keepalive_send_recv(port:port, data:sndReq);
+ if(rcvRes == NULL){
+ exit(0);
+ }
+
+ if(egrep(pattern:"dotProject", string:rcvRes) &&
+ egrep(pattern:"^HTTP/.* 200 OK", string:rcvRes))
+ {
+ if(safe_checks())
+ {
+ if(egrep(pattern:"Version ([01]\..*|2\.(0(\..*)?|" +
+ "1(\.[0-2])?))[^.0-9]", string:rcvRes)){
+ security_warning(port);
+ }
+ exit(0);
+ }
+
+ sndReq = http_get(item:string(path, "/index.php?m=public&a=" +
+ "calendar&dialog=1&callback=setCalendar%22" +
+ "%3E%3Cimg/src/onerror=alert(101010)%3E"),
+ port:port);
+ rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:1);
+ if(rcvRes == NULL){
+ exit(0);
+ }
+
+ if('alert(101010)%3E' >< rcvRes){
+ security_warning(port);
+ }
+ exit(0);
+ }
+ }
Property changes on: trunk/openvas-plugins/scripts/secpod_dotproject_mult_xss_n_sql_inj_vuln_900116.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_linux_900210.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_linux_900210.nasl 2008-09-02 10:57:38 UTC (rev 1275)
+++ trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_linux_900210.nasl 2008-09-02 14:25:07 UTC (rev 1276)
@@ -0,0 +1,125 @@
+##############################################################################
+#
+# Novell eDirectory Multiple Vulnerabilities (Linux)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/01
+#
+# Revision: 1.1
+#
+# Log: veerendragg
+# Issue #0159
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900210);
+ script_bugtraq_id(30947);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Novell eDirectory Multiple Vulnerabilities (Linux)");
+ script_summary(english:"Check for Novell eDirectory version");
+ desc["english"] = "
+ Overview : This host is running Novell eDirectory, which is prone to XSS,
+ Denial of Service, and Remote Code Execution Vulnerabilities.
+
+ Vulnerability Insight :
+
+ Multiple flaw are due to,
+ - errors in HTTP Protocol Stack that can be exploited to cause heap
+ based buffer overflow via a specially crafted language/content-length
+ headers.
+ - input passed via unspecified parameters to the HTTP Protocol Stack is
+ not properly sanitzed before being returned to the user.
+ - Multiple unknown error exist in LDAP and NDS services.
+
+ Impact : Successful Remote exploitation will allow execution of
+ arbitrary code, heap-based buffer overflow, Cross Site Scripting
+ attacks, or cause memory corruption.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ Novell eDirectory 8.8 SP2 and prior versions on Linux (All).
+
+ Fix : Apply 8.8 Service Pack 3.
+ http://download.novell.com/Download?buildid=RH_B5b3M6EQ~
+
+ References : http://secunia.com/advisories/31684
+ http://securitytracker.com/alerts/2008/Aug/1020788.html
+ http://securitytracker.com/alerts/2008/Aug/1020787.html
+ http://securitytracker.com/alerts/2008/Aug/1020786.html
+ http://securitytracker.com/alerts/2008/Aug/1020785.html
+
+ CVSS Score :
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 6.9
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_ssh_sys_info.nasl");
+ script_require_keys("ssh/login/uname");
+ exit(0);
+}
+
+ include("ssh_func.inc");
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+ exit(0);
+ }
+
+ port = 8028;
+ if(!get_port_state(port))
+ {
+ port = 8030;
+ if(!get_port_state(port)){
+ exit(0);
+ }
+ }
+
+ sock = ssh_login_or_reuse_connection();
+ if(!sock){
+ exit(0);
+ }
+
+ output = ssh_cmd(socket:sock, cmd:"ndsd --version", timeout:120);
+ if("Novell eDirectory" >!< output)
+ {
+ output = ssh_cmd(socket:sock, timeout:120,
+ cmd:"/opt/novell/eDirectory/sbin/ndsd --version");
+ }
+
+ ssh_close_connection();
+
+ if("Novell eDirectory" >!< output){
+ exit(0);
+ }
+
+ if(!(egrep(pattern:"^Novell eDirectory ([0-7]\..*|8\.[0-7]( .*)?|8\.8( SP[0-2])?)[^.0-9]",
+ string:output))){
+ exit(0);
+ }
+
+ rpmList = get_kb_list("ssh/*/rpms");
+ foreach rpm (rpmList)
+ {
+ if((egrep(pattern:"^novell-AUDTedirinst~(9\.|8\.9\.|8.8.3|[1-9][0-9]+\.)",
+ string:rpm))){
+ exit(0);
+ }
+ }
+ security_warning(0);
Property changes on: trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_linux_900210.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_win_900209.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_win_900209.nasl 2008-09-02 10:57:38 UTC (rev 1275)
+++ trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_win_900209.nasl 2008-09-02 14:25:07 UTC (rev 1276)
@@ -0,0 +1,174 @@
+##############################################################################
+#
+# Novell eDirectory Multiple Vulnerabilities (Win)
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/02
+#
+# Revision: 1.1
+#
+# Log: veerendragg
+# Issue #0159
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900209);
+ script_bugtraq_id(30947);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Novell eDirectory Multiple Vulnerabilities (Win)");
+ script_summary(english:"Check for Novell eDirectory version");
+ desc["english"] = "
+ Overview : This host is running Novell eDirectory, which is prone to XSS,
+ Denial of Service, and Remote Code Execution Vulnerabilities.
+
+ Vulnerability Insight :
+
+ Multiple flaw are due to,
+ - errors in HTTP Protocol Stack that can be exploited to cause heap
+ based buffer overflow via a specially crafted language/content-length
+ headers.
+ - input passed via unspecified parameters to the HTTP Protocol Stack is
+ not properly sanitzed before being returned to the user.
+ - Multiple unknown error exist in LDAP and NDS services.
+
+ Impact : Successful Remote exploitation will allow execution of
+ arbitrary code, heap-based buffer overflow, Cross Site Scripting
+ attacks, or cause memory corruption.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ Novell eDirectory 8.8 SP2 and prior versions on Windows 2000/2003.
+
+ Fix : Apply 8.8 Service Pack 3.
+ http://download.novell.com/Download?buildid=RH_B5b3M6EQ~
+
+ References : http://secunia.com/advisories/31684
+ http://securitytracker.com/alerts/2008/Aug/1020788.html
+ http://securitytracker.com/alerts/2008/Aug/1020787.html
+ http://securitytracker.com/alerts/2008/Aug/1020786.html
+ http://securitytracker.com/alerts/2008/Aug/1020785.html
+
+ CVSS Score :
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 6.9
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+
+ port = 8028;
+ if(!get_port_state(port))
+ {
+ port = 8030;
+ if(!get_port_state(port)){
+ exit(0);
+ }
+ }
+
+ eDirVer = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+ "\Uninstall\NDSonNT", item:"DisplayName");
+ if(!eDirVer){
+ exit(0);
+ }
+
+ # Grep for Novell eDirectory Version < 8.8 SP2
+ if(!(egrep(pattern:"^Novell eDirectory ([0-7]\..*|8\.[0-7]( .*)?|8\.8( SP[0-2])?)$",
+ string:eDirVer))){
+ exit(0);
+ }
+
+ eDirPath = registry_get_sz(key:"SOFTWARE\NOVELL\NDS\NDSSNMPAgent" +
+ "\CurrentVersion", item:"Pathname");
+ if(!eDirPath){
+ exit(0);
+ }
+
+ eDirPath = eDirPath - "ndssnmpsa.dll";
+
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:eDirPath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:eDirPath +
+ "nauditds.dlm ");
+
+ name = kb_smb_name();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ domain = kb_smb_domain();
+ port = kb_smb_transport();
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r){
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot){
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+ domain:domain, prot:prot);
+ if(!r){
+ close(soc);
+ exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid){
+ close(soc);
+ exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid){
+ close(soc);
+ exit(0);
+ }
+
+ # Check for patch (By file size).
+ fsize = smb_get_file_size(socket:soc, uid:uid, tid:tid, fid:fid);
+ close(soc);
+
+ if(!fsize){
+ exit(0);
+ }
+
+ if(fsize < 110592){
+ security_warning(0);
+ }
Property changes on: trunk/openvas-plugins/scripts/secpod_novell_edir_mult_vuln_win_900209.nasl
___________________________________________________________________
Name: svn:executable
+ *
More information about the Openvas-commits
mailing list