[Openvas-commits] r3095 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Apr 10 19:06:20 CEST 2009
Author: mime
Date: 2009-04-10 19:06:18 +0200 (Fri, 10 Apr 2009)
New Revision: 3095
Added:
trunk/openvas-plugins/scripts/horde_29745.nasl
trunk/openvas-plugins/scripts/horde_33367.nasl
trunk/openvas-plugins/scripts/horde_33491.nasl
trunk/openvas-plugins/scripts/linpha_34422.nasl
trunk/openvas-plugins/scripts/linpha_detect.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/oscommerce_34348.nasl
trunk/openvas-plugins/scripts/oscommerce_detect.nasl
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/ChangeLog 2009-04-10 17:06:18 UTC (rev 3095)
@@ -1,3 +1,15 @@
+2009-04-10 Michael Meyer <mime at gmx.de>
+ * scripts/linpha_34422.nasl,
+ scripts/horde_33491.nasl,
+ scripts/horde_29745.nasl,
+ scripts/linpha_detect.nasl,
+ scripts/horde_33367.nasl:
+ Added new plugins
+
+ * scripts/oscommerce_34348.nasl,
+ scripts/oscommerce_detect.nasl:
+ Avoid false positives.
+
2009-04-09 Chandrashekhar B <bchandra at secpod.com>
* extra/lsc_generator/README:
Updated release notes upto the latest releases
Added: trunk/openvas-plugins/scripts/horde_29745.nasl
===================================================================
--- trunk/openvas-plugins/scripts/horde_29745.nasl 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/scripts/horde_29745.nasl 2009-04-10 17:06:18 UTC (rev 3095)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Horde Turba 'services/obrowser/index.php' HTML Injection
+# Vulnerability
+#
+# Authors
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100116);
+ script_bugtraq_id(29745);
+ script_version ("1.0");
+
+ script_name(english:"Horde Turba 'services/obrowser/index.php' HTML Injection Vulnerability");
+ desc["english"] = "
+
+ Overview:
+
+ Horde Turba is prone to an HTML-injection vulnerability because it
+ fails to properly sanitize user-supplied input.
+
+ Attacker-supplied HTML and script code would execute in the context
+ of the affected site, potentially allowing the attacker to steal
+ cookie-based authentication credentials or to control how the site is
+ rendered to the user; other attacks are also possible.
+
+ Horde 3.1.7, 3.2, and prior versions are vulnerable.
+
+ See also:
+ http://www.securityfocus.com/bid/29745
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if horde vulnerable to HTML Injection");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("horde_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/horde")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers)) {
+
+ if(version_in_range(version:vers, test_version:"3.1", test_version2:"3.1.7") ||
+ version_in_range(version:vers, test_version:"3.2", test_version2:"3.2.0") ) {
+ security_warning(port:port);
+ exit(0);
+ }
+
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/horde_29745.nasl
___________________________________________________________________
Name: svn_keywords
+ ID
Added: trunk/openvas-plugins/scripts/horde_33367.nasl
===================================================================
--- trunk/openvas-plugins/scripts/horde_33367.nasl 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/scripts/horde_33367.nasl 2009-04-10 17:06:18 UTC (rev 3095)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Horde XSS Filter Cross Site Scripting Vulnerability
+#
+# Authors
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100117);
+ script_bugtraq_id(33367);
+ script_cve_id("CVE-2008-5917");
+ script_version ("1.0");
+
+ script_name(english:"Horde XSS Filter Cross Site Scripting Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ Horde is prone to a cross-site scripting vulnerability because it
+ fails to properly sanitize user-supplied input.
+
+ An attacker may leverage this issue to execute arbitrary script code
+ in the browser of an unsuspecting user in the context of the
+ affected site. This may let the attacker steal cookie-based
+ authentication credentials and launch other attacks.
+
+ Note that this issue also affects Turba on Horde IMP.
+
+ Versions prior to Horde 3.2.3 and 3.3.1 are vulnerable.
+
+ See also:
+ http://www.securityfocus.com/bid/33367
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if horde vulnerable to XSS");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("horde_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/horde")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers)) {
+
+ if(version_in_range(version:vers, test_version:"3.3", test_version2:"3.3.0") ||
+ version_in_range(version:vers, test_version:"3.2", test_version2:"3.2.2") ) {
+ security_warning(port:port);
+ exit(0);
+ }
+
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/horde_33367.nasl
___________________________________________________________________
Name: svn_keywords
+ ID
Added: trunk/openvas-plugins/scripts/horde_33491.nasl
===================================================================
--- trunk/openvas-plugins/scripts/horde_33491.nasl 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/scripts/horde_33491.nasl 2009-04-10 17:06:18 UTC (rev 3095)
@@ -0,0 +1,96 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Horde Products Local File Include and Cross Site Scripting
+# Vulnerabilities
+#
+# Authors
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100118);
+ script_bugtraq_id(33491);
+ script_cve_id("CVE-2009-0932");
+ script_version ("1.0");
+
+ script_name(english:"Horde Products Local File Include and Cross Site Scripting Vulnerabilities");
+ desc["english"] = "
+
+ Overview:
+ Horde products are prone to a local file-include vulnerability and a
+ cross-site scripting vulnerability because they fail to properly
+ sanitize user-supplied input.
+
+ An attacker can exploit the local file-include vulnerability using
+ directory-traversal strings to view and execute local files within
+ the context of the webserver process. Information harvested may aid
+ in further attacks.
+
+ The attacker may leverage the cross-site scripting issue to execute
+ arbitrary script code in the browser of an unsuspecting user in the
+ context of the affected site. This may let the attacker steal
+ cookie-based authentication credentials and launch other attacks.
+
+ The issues affect versions prior to the following:
+
+ Horde 3.2.4 and 3.3.3
+ Horde Groupware 1.1.5
+
+ See also:
+ http://www.securityfocus.com/bid/33491
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if horde vulnerable to XSS and Local File Include");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("horde_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/horde")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers)) {
+
+ if(version_in_range(version:vers, test_version:"3.3", test_version2:"3.3.2") ||
+ version_in_range(version:vers, test_version:"3.2", test_version2:"3.2.3") ) {
+ security_warning(port:port);
+ exit(0);
+ }
+
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/horde_33491.nasl
___________________________________________________________________
Name: svn_keywords
+ ID
Added: trunk/openvas-plugins/scripts/linpha_34422.nasl
===================================================================
--- trunk/openvas-plugins/scripts/linpha_34422.nasl 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/scripts/linpha_34422.nasl 2009-04-10 17:06:18 UTC (rev 3095)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# LinPHA 1.3.4 Multiple Cross-Site Scripting Vulnerabilities
+#
+# Authors
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100120);
+ script_bugtraq_id(34422);
+ script_version ("1.0");
+
+ script_name(english:"LinPHA 1.3.4 Multiple Cross-Site Scripting Vulnerabilities");
+ desc["english"] = "
+
+ Overview:
+ According to its version number, the remote version of LinPHA is
+ prone to multiple cross-site scripting vulnerabilities because it
+ fails to sufficiently sanitize user-supplied input data.
+
+ Attackers can leverage these issues to execute arbitrary script code
+ in the browser of an unsuspecting user in the context of the
+ affected site. This may help attackers steal cookie-based
+ authentication credentials and launch other attacks.
+
+ LinPHA 1.3.4 is vulnerable; other versions may also be affected.
+
+ See also:
+ http://www.securityfocus.com/bid/34422
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if LinPHA = 1.3.4");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("linpha_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/linpha")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers) && vers >!< "unknown") {
+ if(version_is_less_equal(version: vers, test_version: "1.3.4")) {
+ security_warning(port:port);
+ exit(0);
+ }
+
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/linpha_34422.nasl
___________________________________________________________________
Name: svn_keywords
+ ID
Added: trunk/openvas-plugins/scripts/linpha_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/linpha_detect.nasl 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/scripts/linpha_detect.nasl 2009-04-10 17:06:18 UTC (rev 3095)
@@ -0,0 +1,112 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# LinPHA Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc["english"] = "
+
+ Overview:
+ This host is running LinPHA, a photo/image archive/album/gallery
+ written in PHP.
+
+ See also:
+ http://linpha.sourceforge.net
+
+ Risk factor : None";
+
+if (description)
+{
+ script_id(100119);
+ script_version ("1.0");
+
+ script_name(english:"LinPHA Detection");
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Checks for the presence of LinPHA");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/linpha","/image","/album",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "LinPHA Version [0-9.]+", string: buf, icase: TRUE) && egrep(pattern: "The LinPHA developers", string: buf, icase: TRUE))
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ vers = string("unknown");
+
+ ### try to get version
+ version = eregmatch(string: buf, pattern: "LinPHA Version ([0-9.]+)",icase:TRUE, multiline: TRUE);
+
+ if ( !isnull(version[1]) ) {
+ vers=chomp(version[1]);
+ }
+
+ set_kb_item(name: string("www/", port, "/linpha"), value: string(vers," under ",install));
+
+ info = string("None\n\nLinPHA Version '");
+ info += string(vers);
+ info += string("' was detected on the remote host in the following directory(s):\n\n");
+ info += string(install, "\n");
+
+ desc = ereg_replace(
+ string:desc["english"],
+ pattern:"None$",
+ replace:info
+ );
+
+ if(report_verbosity > 0) {
+ security_note(port:port,data:desc);
+ }
+ exit(0);
+
+ }
+}
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/linpha_detect.nasl
___________________________________________________________________
Name: svn_keywords
+ ID
Modified: trunk/openvas-plugins/scripts/oscommerce_34348.nasl
===================================================================
--- trunk/openvas-plugins/scripts/oscommerce_34348.nasl 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/scripts/oscommerce_34348.nasl 2009-04-10 17:06:18 UTC (rev 3095)
@@ -71,11 +71,14 @@
if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);
-if(!dir = get_kb_list("Software/osCommerce/dir"))exit(0);
+if(!version = get_kb_item(string("www/", port, "/oscommerce")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
-foreach d (dir)
+dir = matches[2];
+
+if(!isnull(dir))
{
- url = string(d, "/index.php?osCsid=a815a815a815a815");
+ url = string(dir, "/index.php?osCsid=a815a815a815a815");
req = http_get(item:url, port:port);
buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if( buf == NULL )exit(0);
Modified: trunk/openvas-plugins/scripts/oscommerce_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/oscommerce_detect.nasl 2009-04-10 14:24:40 UTC (rev 3094)
+++ trunk/openvas-plugins/scripts/oscommerce_detect.nasl 2009-04-10 17:06:18 UTC (rev 3095)
@@ -115,7 +115,8 @@
set_kb_item(name:"Software/osCommerce", value: TRUE);
}
info += string(found, "\n");
- set_kb_item(name:"Software/osCommerce/dir", value: found);
+ set_kb_item(name:"Software/osCommerce/dir", value: found);
+ set_kb_item(name: string("www/", port, "/oscommerce"), value: string("unknown under ",found));
}
desc = ereg_replace(
More information about the Openvas-commits
mailing list