[Openvas-commits] r3429 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue May 19 15:51:57 CEST 2009


Author: mwiegand
Date: 2009-05-19 15:51:55 +0200 (Tue, 19 May 2009)
New Revision: 3429

Removed:
   trunk/openvas-plugins/scripts/smb_hotfixes.inc
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/apache_username.nasl
Log:
* scripts/smb_hotfixes.inc: Removed obsolete include file. The
functionality is now provided by secpod_reg.inc.

* scripts/apache_username.nasl: Reverted to version of initial author.


Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-05-19 13:39:46 UTC (rev 3428)
+++ trunk/openvas-plugins/ChangeLog	2009-05-19 13:51:55 UTC (rev 3429)
@@ -1,3 +1,10 @@
+2009-05-19  Michael Wiegand <michael.wiegand at intevation.de>
+
+	* scripts/smb_hotfixes.inc: Removed obsolete include file. The
+	functionality is now provided by secpod_reg.inc.
+
+	* scripts/apache_username.nasl: Reverted to version of initial author.
+
 2009-05-19 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/os_fingerprint.nasl:
 	Committed plugin from Goran Licina <goran.licina at lss.hr> and the team

Modified: trunk/openvas-plugins/scripts/apache_username.nasl
===================================================================
--- trunk/openvas-plugins/scripts/apache_username.nasl	2009-05-19 13:39:46 UTC (rev 3428)
+++ trunk/openvas-plugins/scripts/apache_username.nasl	2009-05-19 13:51:55 UTC (rev 3429)
@@ -1,87 +1,61 @@
-###############################################################################
-# OpenVAS Vulnerability Test
-# $Id$
 #
-# Apache Remote Username Enumeration Vulnerability
+# Copyright 2001 by Noam Rathaus <noamr at securiteam.com>
 #
-# Authors:
-# Tenable Network Security
+# See the Nessus Scripts License for details
 #
-# Copyright:
-# Copyright (C) 2005 Tenable Network Security
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2,
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-###############################################################################
 
-#
-# GPL licensed by Tenable and distributed under Tenable GPL feed - 10 July 2006
-#
-
-#
-# (C) Tenable Network Security
-#
-
 if(description)
 {
  script_id(10766); 
  script_bugtraq_id(3335);
- script_cve_id("CVE-2001-1013");
+ script_cve_id("CAN-2001-1013");
  script_version ("$Revision$");
 
- name["english"] = "Apache Remote Username Enumeration Vulnerability";
+ name["english"] = "Apache UserDir Sensitive Information Disclosure";
  script_name(english:name["english"]);
 
- desc["english"] = "
-Synopsis :
+ desc["english"] = "An information leak occurs on Apache based web servers 
+whenever the UserDir module is enabled. The vulnerability allows an external 
+attacker to enumerate existing accounts by requesting access to their home 
+directory and monitoring the response.
 
-The remote Apache server can be used to guess the presence of a given user
-name on the remote host.
 
-Description :
+Solution: 
+1) Disable this feature by changing 'UserDir public_html' (or whatever) to 
+'UserDir  disabled'.
 
-When configured with the 'UserDir' option, requests to URLs containing a tilde
-followed by a username will redirect the user to a given subdirectory in the
-user home.
+Or
 
-For instance, by default, requesting /~root/ displays the HTML contents from
-/root/public_html/.
+2) Use a RedirectMatch rewrite rule under Apache -- this works even if there 
+is no such  entry in the password file, e.g.:
+RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
 
-If the username requested does not exist, then Apache will reply with a 
-different error code. Therefore, an attacker may exploit this vulnerability
-to guess the presence of a given user name on the remote host.
+Or
 
-Solution : 
+3) Add into httpd.conf:
+ErrorDocument 404 http://localhost/sample.html
+ErrorDocument 403 http://localhost/sample.html
+(NOTE: You need to use a FQDN inside the URL for it to work properly).
 
-In httpd.conf, set the 'UserDir' to 'disabled'.
+Additional Information:
+http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
 
-Risk factor :
 
-Low / CVSS Base Score : 2 
-(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)";
+Risk factor : Low";
 
  script_description(english:desc["english"]);
 
- summary["english"] = "Checks for the error codes returned by Apache when requesting a non-existant user name";
+ summary["english"] = "Apache UserDir Sensitive Information Disclosure";
  script_summary(english:summary["english"]);
 
  script_category(ACT_GATHER_INFO);
 
- script_copyright(english:"This script is Copyright (C) 2005 Teanble Network Security");
- family["english"] = "Web Servers";
+ script_copyright(english:"This script is Copyright (C) 2001 SecuriTeam");
+ family["english"] = "Misc.";
  script_family(english:family["english"]);
 
- script_dependencie("http_version.nasl");
+ script_dependencie("find_service.nes", "http_version.nasl");
  script_require_keys("www/apache");
  script_require_ports("Services/www", 80);
  exit(0);
@@ -90,28 +64,39 @@
 #
 # The script code starts here
 #
-include("misc_func.inc");
+
 include("http_func.inc");
-include("http_keepalive.inc");
 
 port = get_http_port(default:80);
+
+
 if (! get_port_state(port)) exit(0);
-if ( get_kb_item("Services/www/" + port + "/embedded" ) ) exit(0);
 
-banner = get_http_banner(port:port);
-if ( ! banner ) exit(0);
-if ( ! egrep(pattern:"Server: .*Apache", string:banner) ) exit(0);
+soc = http_open_socket(port);
+if(! soc) exit(0);
 
-req = http_get(item:"/~root", port:port);
-res = http_keepalive_send_recv(port:port, data:req);
-if ( ! res ) exit(0);
-code = egrep(pattern:"HTTP/[0-9]\.[0-9] [0-9]* ", string:res);
-if ( ! code ) exit(0);
 
-req = http_get(item:"/~" + rand_str(length:8), port:port);
-res = http_keepalive_send_recv(port:port, data:req);
-if ( ! res ) exit(0);
-code2 = egrep(pattern:"HTTP/[0-9]\.[0-9] [0-9]* ", string:res);
-if ( ! code2 ) exit(0);
+soc = http_open_socket(port);
+if (soc)
+{
+ req = http_head(item:"/~root", port:port);
+ send(socket:soc, data:req);
+ buf_valid = recv_line(socket:soc, length:1000);
+ http_close_socket(soc);
+}
 
-if ( code2 != code ) security_note(port);
+soc = http_open_socket(port);
+if (soc)
+{
+ req = http_head(item:"/~anna_foo_fighter", port:port);
+ send(socket:soc, data:req);
+ buf_invalid = recv_line(socket:soc, length:1000);
+ http_close_socket(soc);
+}
+
+if (("403 Forbidden" >< buf_valid) && ("404 Not Found" >< buf_invalid))
+{
+ security_note(port);
+}
+
+

Deleted: trunk/openvas-plugins/scripts/smb_hotfixes.inc
===================================================================
--- trunk/openvas-plugins/scripts/smb_hotfixes.inc	2009-05-19 13:39:46 UTC (rev 3428)
+++ trunk/openvas-plugins/scripts/smb_hotfixes.inc	2009-05-19 13:51:55 UTC (rev 3429)
@@ -1,337 +0,0 @@
-###############################################################################
-# OpenVAS Vulnerability Test Include
-# $Id$
-#
-# Support functions to determine the state of hotfixes on Microsoft Windows
-#
-# Authors:
-# Tenable Network Security
-#
-# Copyright:
-# Copyright (C) 2005 Tenable Network Security
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2,
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-###############################################################################
-
-#
-# GPL licensed by Tenable and distributed under Tenable GPL feed - 02 January 2005
-#
-
-#
-# (C) Tenable Network Security
-#
-
-include("global_settings.inc");
-
-function hotfix_check_exchange_installed()
-{
- local_var vers;
-
- vers = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Exchange/Setup/ServicePackBuild");
- if ( ! vers ) 
-	return NULL;
- else 
-	return vers;
-}
-
-function hotfix_data_access_version()
-{
- local_var vers;
-
- vers = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/DataAccess/Version");
- if ( ! vers ) 
-	return NULL;
- else 
-	return vers;
-}
-
-#
-# Returns Office version if it is installed, NULL if it is not
-#
-function hotfix_check_office_version()
-{
- local_var flag;
-
- flag = get_kb_item("SMB/Office/Outlook");
- if ( flag )
-   return flag;
-
- flag = get_kb_item("SMB/Office/Word");
- if ( flag )
-   return flag;
-
- flag = get_kb_item("SMB/Office/Excel");
- if ( flag )
-   return flag;
-
- flag = get_kb_item("SMB/Office/Powerpoint");
- if ( flag )
-   return flag;
-
- return NULL;
-}
-
-
-#
-# Returns Word version if it is installed, NULL if it is not
-#
-function hotfix_check_word_version()
-{
- local_var flag;
-
- flag = get_kb_item("SMB/Office/Word");
- if ( flag )
-   return flag;
-
- return NULL;
-}
-
-#
-# Returns Excel version if it is installed, NULL if it is not
-#
-function hotfix_check_excel_version()
-{
- local_var flag;
-
- flag = get_kb_item("SMB/Office/Excel");
- if ( flag )
-   return flag;
-
- return NULL;
-}
-
-#
-# Returns Powerpoint version if it is installed, NULL if it is not
-#
-function hotfix_check_powerpoint_version()
-{
- local_var flag;
-
- flag = get_kb_item("SMB/Office/Powerpoint");
- if ( flag )
-   return flag;
-
- return NULL;
-}
-
-#
-# Returns Outlook version if it is installed, NULL if it is not
-#
-function hotfix_check_outlook_version()
-{
- local_var flag;
-
- flag = get_kb_item("SMB/Office/Outlook");
- if ( flag )
-   return flag;
-
- return NULL;
-}
-
-
-#
-# Returns 1 if Works is installed, 0 if it is not
-#
-function hotfix_check_works_installed()
-{
- local_var flag;
-
- flag = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Works");
- if ( ! flag ) 
-	return 0;
- else
-	return 1;
-}
-
-
-
-#
-# Returns 1 if IIS is installed, 0 if it is not and -1 if we don't know
-#
-function hotfix_check_iis_installed()
-{
- local_var w3svc;
-
- w3svc = get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/ImagePath");
- if ( ! w3svc ) return -1;
- if ( "inetinfo" >!< w3svc )
-	return 0;
- else
-	return 1;
-}
-
-#
-# Returns 1 if WINS is installed, 0 if it is not and -1 if we don't know
-#
-function hotfix_check_wins_installed()
-{
- local_var wins;
-
- wins = get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/WINS/DisplayName");
- if ( ! wins ) return -1;
- else
-	return 1;
-}
-
-# Returns 1 if a DHCP server is installed, 0 if it is not and -1 if we don't know
-#
-function hotfix_check_dhcpserver_installed()
-{
-
- local_var dhcp;
- dhcp = get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Services/DHCPServer");
- if ( ! dhcp ) return -1;
- else
-	return 1;
-}
-
-function hotfix_check_nt_server()
-{
- local_var product_options;
- product_options = get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Control/ProductOptions");
- if ( ! product_options ) return -1;
- if ("WinNT" >< product_options ) 
-	return 0;
- else
-	return 1;
-}
-
-function hotfix_check_domain_controler()
-{
- local_var product_options;
- product_options = get_kb_item("SMB/Registry/HKLM/SYSTEM/CurrentControlSet/Control/ProductOptions");
- if ( ! product_options ) return -1;
- if ("LanmanNT" >< product_options ) 
-	return 1;
- else
-	return 0;
-}
-
-function hotfix_get_programfilesdir()
-{
- local_var str;
- str = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/ProgramFilesDir");
- return str;
-}
-
-function hotfix_get_commonfilesdir()
-{
- local_var str;
- str = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/CommonFilesDir");
- return str;
-}
-
-function hotfix_get_systemroot()
-{
- local_var str;
- str = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRoot");
- return str;
-}
-
-function hotfix_check_sp(nt, win2k, xp, win2003)
-{
-  local_var vers, sp;
-
-  vers = get_kb_item("SMB/WindowsVersion");
-  if ( ! vers ) return -1;
-
- 
-
-  if ( nt &&  "4.0" >< vers )
-  {
-    sp  = get_kb_item("SMB/CSDVersion");
-    if ( sp )
-    	sp   = int(ereg_replace(string:sp, pattern:".*Service Pack ([0-9]).*", replace:"\1"));
-    else
-	sp = 0;
-
-    if ( sp < nt )
- 	return 1;
-    else 
-	return 0; 
-  }   
-  else if ( win2k &&  "5.0" >< vers )
-  {
-    sp  = get_kb_item("SMB/CSDVersion");
-    if ( sp ) 
-    	sp   = int(ereg_replace(string:sp, pattern:".*Service Pack ([0-9]).*", replace:"\1"));
-    else
-	sp = 0;
-    if ( sp < win2k )
- 	return 1;
-    else 
-	return 0; 
-  }   
-  else if ( xp &&  "5.1" >< vers )
-  {
-    sp  = get_kb_item("SMB/CSDVersion");
-    if ( sp )
-    	sp   = int(ereg_replace(string:sp, pattern:".*Service Pack ([0-9]).*", replace:"\1"));
-    else
-	sp = 0;
-    if ( sp < xp )
- 	return 1;
-    else 
-	return 0; 
-  }   
-  else if ( win2003 &&  "5.2" >< vers )
-  {
-    sp  = get_kb_item("SMB/CSDVersion");
-    if ( sp ) 
-    	sp   = int(ereg_replace(string:sp, pattern:".*Service Pack ([0-9]).*", replace:"\1"));
-    else
-	sp = 0;
-
-    if ( sp < win2003 )
- 	return 1;
-    else 
-	return 0; 
-  }   
-
-  return -1; 
-}
-
-#-----------------------------------------------------------------------------
-# hotfix_missing()
-#
-# Returns:
-# -1 : Could not verify if the hotfix is installed (ie: lack of credentials)
-#  0 : The hotfix is installed
-#  1 : The hotfix is missing
-#-----------------------------------------------------------------------------
-function hotfix_missing(name)
-{
- local_var kb, key;
-
- 
- kb = get_kb_list("SMB/Registry/*");
-
- if ( isnull(kb) || max_index(make_list(keys(kb))) == 0 )
- {
-   return -1;
- }
-
- 
- # Don't get confused by QNNNNN vs KBNNNNN updates - look for both formats
- if ( "KB" >< name ) name = name - "KB";
- else if ( "Q" >< name ) name = name - "Q";
- foreach key (keys(kb))
- {
-  if ( ereg(pattern:"SMB/Registry/HKLM/SOFTWARE/Microsoft/(Updates/.*|Windows NT/CurrentVersion/HotFix)/(KB|Q)" + name, string:key) )
-	return 0; # The hotfix is installed
- }
-  return 1; # The hotfix is indeed missing
-}
-
-



More information about the Openvas-commits mailing list