[Openvas-commits] r6098 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Dec 8 22:02:27 CET 2009


Author: mime
Date: 2009-12-08 22:02:24 +0100 (Tue, 08 Dec 2009)
New Revision: 6098

Added:
   trunk/openvas-plugins/scripts/awstats_37157.nasl
   trunk/openvas-plugins/scripts/invision_power_board_37208.nasl
   trunk/openvas-plugins/scripts/phpshop_37227.nasl
   trunk/openvas-plugins/scripts/phpshop_detect.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/polipo_37226.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-12-08 11:57:07 UTC (rev 6097)
+++ trunk/openvas-plugins/ChangeLog	2009-12-08 21:02:24 UTC (rev 6098)
@@ -1,5 +1,16 @@
 2009-12-08 Michael Meyer <michael.meyer at intevation.de>
 
+	* scripts/phpshop_37227.nasl,
+	scripts/invision_power_board_37208.nasl,
+	scripts/phpshop_detect.nasl,
+	scripts/awstats_37157.nasl:
+	Added new plugins.
+
+	* scripts/polipo_37226.nasl:
+	Exit if !soc.
+
+2009-12-08 Michael Meyer <michael.meyer at intevation.de>
+
 	* scripts/iWeb_37228.nasl,
 	scripts/CoreHTTP_37237.nasl,
 	scripts/polipo_37226.nasl:

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-12-08 11:57:07 UTC (rev 6097)
+++ trunk/openvas-plugins/cve_current.txt	2009-12-08 21:02:24 UTC (rev 6098)
@@ -354,5 +354,8 @@
 37228				Greenbone	svn		R
 37226				Greenbone	svn		R
 37237				Greenbone	svn		R
+37227				Greenbone	svn		R
+37208				Greenbone	svn		R
+37157				Greenbone	svn		R
 
 

Added: trunk/openvas-plugins/scripts/awstats_37157.nasl
===================================================================
--- trunk/openvas-plugins/scripts/awstats_37157.nasl	2009-12-08 11:57:07 UTC (rev 6097)
+++ trunk/openvas-plugins/scripts/awstats_37157.nasl	2009-12-08 21:02:24 UTC (rev 6098)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# AWStats Multiple Unspecified Security Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100380);
+ script_bugtraq_id(37157);
+ script_version ("1.0-$Revision$");
+
+ script_name("AWStats Multiple Unspecified Security Vulnerabilities");
+
+desc = "Overview:
+AWStats is prone to multiple security vulnerabilities.
+
+Very few details are available. We will update this BID as more
+information emerges.
+
+The impact of these issues has not been disclosed.
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/37157
+http://awstats.sourceforge.net/docs/awstats_changelog.txt
+http://awstats.sourceforge.net/
+
+Risk factor : Low";
+
+ script_description(desc);
+ script_summary("Determine if AWStats version is < 6.95");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("awstats_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/awstats")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(version_is_less(version: vers, test_version: "6.95")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/awstats_37157.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/invision_power_board_37208.nasl
===================================================================
--- trunk/openvas-plugins/scripts/invision_power_board_37208.nasl	2009-12-08 11:57:07 UTC (rev 6097)
+++ trunk/openvas-plugins/scripts/invision_power_board_37208.nasl	2009-12-08 21:02:24 UTC (rev 6098)
@@ -0,0 +1,95 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Invision Power Board Local File Include and SQL Injection Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100381);
+ script_bugtraq_id(37208);
+ script_version ("1.0-$Revision$");
+
+ script_name("Invision Power Board Local File Include and SQL Injection Vulnerabilities");
+
+desc = "Overview:
+Invision Power Board is prone to a local file-include vulnerability
+and multiple SQL-injection vulnerabilities because it fails to
+properly sanitize user-supplied input.
+
+An attacker can exploit the local file-include vulnerability using directory-
+traversal strings to view and execute arbitrary local files within the
+context of the webserver process. Information harvested may aid in
+further attacks.
+
+The attacker can exploit the SQL-injection vulnerabilities to
+compromise the application, access or modify data, or exploit latent
+vulnerabilities in the underlying database.
+
+Invision Power Board 3.0.4 and 2.3.6 are vulnerable; other versions
+may also be affected.
+
+References:
+http://www.securityfocus.com/bid/37208
+http://www.invisionpower.com/community/board/index.html
+http://www.securityfocus.com/archive/1/508207
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Invision Power Board version is 3.0.4 or 2.3.6");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("invision_power_board_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/invision_power_board")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(version_is_equal(version: vers, test_version: "3.0.4") ||
+     version_is_equal(version: vers, test_version: "2.3.6")
+     ) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/invision_power_board_37208.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/phpshop_37227.nasl
===================================================================
--- trunk/openvas-plugins/scripts/phpshop_37227.nasl	2009-12-08 11:57:07 UTC (rev 6097)
+++ trunk/openvas-plugins/scripts/phpshop_37227.nasl	2009-12-08 21:02:24 UTC (rev 6098)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PhpShop Cross-Site Scripting and SQL Injection Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100383);
+ script_bugtraq_id(37227);
+ script_version ("1.0-$Revision$");
+
+ script_name("PhpShop Cross-Site Scripting and SQL Injection Vulnerabilities");
+
+desc = "Overview:
+PhpShop is prone to a cross-site scripting vulnerability and multiple
+SQL-injection vulnerabilities because it fails to adequately sanitize
+user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-
+based authentication credentials, compromise the application,
+access or modify data, or exploit latent vulnerabilities in the
+underlying database.
+
+PhpShop 0.8.1 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/37227
+http://www.phpshop.org/
+http://www.securityfocus.com/archive/1/508243
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if PhpShop is prone to multiple vulnerabilities");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("phpshop_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/SET_ME")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+dir = matches[2];
+if(isnull(dir))exit(0);
+
+url = string(dir,"/?page=shop/flypage&product_id=1011%27/**/union/**/select/**/1,1,1,1,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374/**/from/**/auth_user_md5--%20aaa");
+req = http_get(item:url, port:port);
+buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+if( buf == NULL )exit(0);
+
+if(egrep(pattern: "OpenVAS-SQL-Injection-Test", string: buf)) {
+  security_warning(port:port);
+  exit(0);
+}  
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/phpshop_37227.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/phpshop_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/phpshop_detect.nasl	2009-12-08 11:57:07 UTC (rev 6097)
+++ trunk/openvas-plugins/scripts/phpshop_detect.nasl	2009-12-08 21:02:24 UTC (rev 6098)
@@ -0,0 +1,123 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PhpShop Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running PhpShop, a PHP-powered shopping cart application.
+
+See also:
+http://www.phpshop.org/
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100382);
+ script_version ("1.0-$Revision$");
+
+ script_name("PhpShop Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of PhpShop");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/shop","/phpshop",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "Powered by <a [^>]+>phpShop", string: buf, icase: TRUE))
+ {
+     if(strlen(dir)>0) {
+        install=dir;
+     } else {
+        install=string("/");
+     }
+
+    vers = string("unknown");
+    ### try to get version 
+    version = eregmatch(string: buf, pattern: "Powered by <a [^>]+>phpShop</a> ([0-9.]+)",icase:TRUE);
+
+    if ( !isnull(version[1]) ) {
+       vers=chomp(version[1]);
+       if(version_is_equal(version: vers, test_version: "0.8.0")) { # downloaded version 0.8.1 but /WEB-INF/etc/config.php contains "define("PHPSHOP_VERSION","0.8.0");". In README.txt -> "phpShop version 0.8.1". So if version is 0.8.0 check README.txt to make sure we got the real version.
+         url = string(dir, "/README.txt");
+	 req = http_get(item:url, port:port);
+	 buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+	 if(buf) {
+           version = eregmatch(string: buf, pattern:"phpShop version ([0-9.]+)");
+	   if(!isnull(version[1]) && version[1] != vers) {
+             vers = version[1];
+	   }  
+	 }  
+       }  
+     }	 
+    
+
+    set_kb_item(name: string("www/", port, "/phpshop"), value: string(vers," under ",install));
+
+    info = string("None\n\nPhpShop Version '");
+    info += string(vers);
+    info += string("' was detected on the remote host in the following directory(s):\n\n");
+    info += string(install, "\n");
+
+    desc = ereg_replace(
+        string:desc,
+        pattern:"None$",
+        replace:info
+    );
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/phpshop_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/polipo_37226.nasl
===================================================================
--- trunk/openvas-plugins/scripts/polipo_37226.nasl	2009-12-08 11:57:07 UTC (rev 6097)
+++ trunk/openvas-plugins/scripts/polipo_37226.nasl	2009-12-08 21:02:24 UTC (rev 6098)
@@ -74,6 +74,8 @@
  {
 
     soc = http_open_socket(port);
+    if(!soc)exit(0);
+
     req = string("GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n");
     send(socket:soc, data:req);
 



More information about the Openvas-commits mailing list