[Openvas-commits] r5358 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Oct 2 19:48:18 CEST 2009
Author: mime
Date: 2009-10-02 19:48:14 +0200 (Fri, 02 Oct 2009)
New Revision: 5358
Added:
trunk/openvas-plugins/scripts/bugzilla_36371.nasl
trunk/openvas-plugins/scripts/bugzilla_36373.nasl
trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl
trunk/openvas-plugins/scripts/photopost_detect.nasl
trunk/openvas-plugins/scripts/webmirror.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/cve_current.txt
trunk/openvas-plugins/scripts/misc_func.inc
trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl
trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl
trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl
Log:
Added new plugins.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/ChangeLog 2009-10-02 17:48:14 UTC (rev 5358)
@@ -1,3 +1,20 @@
+2009-10-02 Michael Meyer <michael.meyer at intevation.de>
+
+ * scripts/photopost_detect.nasl,
+ scripts/bugzilla_36373.nasl,
+ scripts/cerberus_ftp_server_36390.nasl,
+ scripts/bugzilla_36371.nasl,
+ scripts/webmirror.nasl:
+ Added new plugins.
+
+ * scripts/sambar_cgi_path_disclosure.nasl,
+ scripts/ypupdated_remote_exec.nasl,
+ scripts/secpod_surgemail_detect.nasl:
+ Bugfixes.
+
+ * scripts/misc_func.inc:
+ Added function get_unknown_svc().
+
2009-10-01 Thomas Reinke <reinke at securityspace.com>
* scripts/secpod_ibm_lotus_notes_html_inj_vuln_win.nasl:
Fix typo.
Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/cve_current.txt 2009-10-02 17:48:14 UTC (rev 5358)
@@ -99,3 +99,6 @@
36554 Greenbone svn R
36490 Greenbone svn R
CVE-2009-3103 Greenbone svn R
+CVE-2009-3125 Greenbone svn R
+36390 Greenbone svn R
+CVE-2009-3165 Greenbone svn R
Added: trunk/openvas-plugins/scripts/bugzilla_36371.nasl
===================================================================
--- trunk/openvas-plugins/scripts/bugzilla_36371.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/bugzilla_36371.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mozilla Bugzilla 'Bug.search()' WebService Function SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100286);
+ script_bugtraq_id(36371);
+ script_cve_id("CVE-2009-3125");
+ script_version ("1.0-$Revision$");
+
+ script_name("Mozilla Bugzilla 'Bug.search()' WebService Function SQL Injection Vulnerability");
+
+desc = "Overview:
+Bugzilla is prone to an SQL-injection vulnerability because it fails
+to sufficiently sanitize user-supplied data before using it in an SQL
+query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+The following versions are affected:
+
+Bugzilla 3.3.2 through 3.4.1 Bugzilla 3.5
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/36371
+https://bugzilla.mozilla.org/show_bug.cgi?id=515191
+http://www.bugzilla.org/security/3.0.8/
+http://www.bugzilla.org
+
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Bugzilla is prone to an SQL-injection vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("bugzilla_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/bugzilla/version")))exit(0);
+
+if(!isnull(version) && version >!< "unknown") {
+
+ if(version_in_range(version:version, test_version:"3.4", test_version2:"3.4.1") ||
+ version_in_range(version:version, test_version:"3.3", test_version2:"3.3.4") ||
+ version_is_equal(version:version, test_version:"3.5")) {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/bugzilla_36371.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Added: trunk/openvas-plugins/scripts/bugzilla_36373.nasl
===================================================================
--- trunk/openvas-plugins/scripts/bugzilla_36373.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/bugzilla_36373.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mozilla Bugzilla 'Bug.create()' WebService Function SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100287);
+ script_bugtraq_id(36373);
+ script_cve_id("CVE-2009-3165");
+ script_version ("1.0-$Revision$");
+
+ script_name("Mozilla Bugzilla 'Bug.create()' WebService Function SQL Injection Vulnerability");
+
+desc = "Overview:
+Bugzilla is prone to an SQL-injection vulnerability because it fails
+to sufficiently sanitize user-supplied data before using it in an SQL
+query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+The following versions are vulnerable:
+
+Bugzilla 2.23.4 through 3.0.8 Bugzilla 3.1.1 through 3.2.4 Bugzilla
+3.3.1 through 3.4.1
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/36373
+https://bugzilla.mozilla.org/show_bug.cgi?id=515191
+http://www.bugzilla.org/security/3.0.8/
+http://www.bugzilla.org
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Bugzilla is prone to an SQL-injection vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("bugzilla_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/bugzilla/version")))exit(0);
+if(!isnull(version) && version >!< "unknown") {
+
+ if(
+ version_in_range(version:version, test_version:"3.4", test_version2:"3.4.1") ||
+ version_in_range(version:version, test_version:"3.3", test_version2:"3.3.4") ||
+ version_in_range(version:version, test_version:"3.2", test_version2:"3.2.4") ||
+ version_in_range(version:version, test_version:"3.1", test_version2:"3.1.4") ||
+ version_in_range(version:version, test_version:"3.0", test_version2:"3.0.8") ||
+ version_in_range(version:version, test_version:"2.23", test_version2:"2.23.4") ||
+ version_in_range(version:version, test_version:"2.4", test_version2:"2.9")) {
+ security_warning(port:port);
+ exit(0);
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/bugzilla_36373.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Added: trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,115 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Cerberus FTP Server Long Command Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100284);
+ script_bugtraq_id(36390);
+ script_version ("1.0-$Revision$");
+
+ script_name("Cerberus FTP Server Long Command Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+Cerberus FTP Server is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to terminate the affected
+application, denying service to legitimate users.
+
+This issue affects Cerberus FTP Server 3.0.3 through 3.0.6; other
+versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36390
+http://www.cerberusftp.com/index.html
+http://www.securityfocus.com/archive/1/506858
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Cerberus FTP Server is prone to a denial-of-service vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+
+if(safe_checks())exit(0);
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+ ftpPort = 21;
+}
+
+if(get_kb_item('ftp/'+ftpPort+'/broken'))exit(0);
+
+if(!get_port_state(ftpPort)){
+ exit(0);
+}
+
+if(!banner = get_ftp_banner(port:ftpPort))exit(0);
+
+if("Cerberus" >!< banner)exit(0);
+
+soc1 = open_sock_tcp(ftpPort);
+soc2 = open_sock_tcp(ftpPort);
+soc3 = open_sock_tcp(ftpPort);
+soc4 = open_sock_tcp(ftpPort);
+
+if(!soc1 || !soc2 || !soc3 || !soc4){
+ exit(0);
+}
+
+req1 = string("USER ", crap(data: raw_string(0x41), length: 330), "\r\n");
+req2 = string("USER ", crap(data: raw_string(0x41), length: 520), "\r\n");
+req3 = string("USER ", crap(data: raw_string(0x41), length: 2230), "\r\n");
+
+send(socket:soc1, data:req1);
+send(socket:soc2, data:req2);
+send(socket:soc3, data:req3);
+send(socket:soc4, data:req1);
+
+close(soc1);
+close(soc2);
+close(soc3);
+close(soc4);
+
+sleep(3);
+
+soc = open_sock_tcp(ftpPort);
+
+if(!ftp_recv_line(socket: soc)) {
+ security_warning(port:ftpPort);
+ if(soc)close(soc);
+ exit(0);
+}
+
+if(soc)close(soc);
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Modified: trunk/openvas-plugins/scripts/misc_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/misc_func.inc 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/misc_func.inc 2009-10-02 17:48:14 UTC (rev 5358)
@@ -3,6 +3,27 @@
# (C) 2002 Michel Arboi <arboi at alussinan.org>
# $Revision: 1.53 $
+function get_unknown_svc()
+ {
+
+ local_var port;
+
+ if(!isnull(_FCT_ANON_ARGS[0])) {
+ port = _FCT_ANON_ARGS[0];
+ } else {
+ port = get_kb_item("Services/unknown");
+ }
+
+ if(!port)return 0;
+ if (port == 139)return 0;
+
+ if(service_is_unknown(port:port)) {
+ return port;
+ } else {
+ return 0;
+ }
+ }
+
function register_service(port, proto, ipproto)
{
local_var k;
Added: trunk/openvas-plugins/scripts/photopost_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/photopost_detect.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/photopost_detect.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Photopost Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running Photopost, a photo sharing gallery software.
+
+See also:
+http://www.photopost.com/
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100285);
+ script_version ("1.0-$Revision$");
+
+ script_name("Photopost Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of Photopost");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/photopost","/photos","/gallery",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "<a [^>]+>Photo Sharing Gallery by PhotoPost", string: buf, icase: TRUE) &&
+ egrep(pattern: "Copyright.*All Enthusiast, Inc", string: buf, icase: TRUE)
+ )
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ vers = string("unknown");
+
+ set_kb_item(name: string("www/", port, "/photopost"), value: string(vers," under ",install));
+
+ info = string("None\n\nPhotoPost Version '");
+ info += string(vers);
+ info += string("' was detected on the remote host in the following directory(s):\n\n");
+ info += string(install, "\n");
+
+ desc = ereg_replace(
+ string:desc,
+ pattern:"None$",
+ replace:info
+ );
+
+ if(report_verbosity > 0) {
+ security_note(port:port,data:desc);
+ }
+ exit(0);
+
+ }
+}
+exit(0);
+
Property changes on: trunk/openvas-plugins/scripts/photopost_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Modified: trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl
===================================================================
--- trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -68,7 +68,7 @@
req = http_get(port: port, item: strcat(dir, "/", fil));
r = http_keepalive_send_recv(port:port, data: req);
p = strcat("SCRIPT_FILENAME:*", fil);
- if (match(string: r, pattern: p) || r =~ 'DOCUMENT_ROOT:[ \t]*[A-Z]\\\\')
+ if (r && (match(string: r, pattern: p) || r =~ 'DOCUMENT_ROOT:[\t]*[A-Z]\\\\'))
{
security_warning(port);
exit(0);
Modified: trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -87,8 +87,8 @@
exit(0);
}
-sndReq = http_get(item:"/", port:surge_port);
-rcvRes = http_send_recv(port:surge_port, data:sndReq);
+sndReq = http_get(item:"/", port:surgemail_port);
+rcvRes = http_send_recv(port:surgemail_port, data:sndReq);
if(egrep(pattern:"SurgeMail", string:rcvRes, icase:1))
{
Added: trunk/openvas-plugins/scripts/webmirror.nasl
===================================================================
--- trunk/openvas-plugins/scripts/webmirror.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/webmirror.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,1200 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# WEBMIRROR 2.0
+#
+# Saved from
+# http://patch-tracker.debian.org/patch/misc/view/nessus-plugins/2.2.10-6/scripts/webmirror.nasl
+#
+# Authors:
+# Renaud Deraison <deraison at nessus.org>.
+#
+# includes some code by H D Moore <hdmoore at digitaldefense.net>
+#
+# Modified by Michael Meyer <michael.meyer at intevation.de>
+#
+# Copyright:
+# Copyright (c) 2001 - 2003 Renaud Deraison
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(10662);
+ script_version("$Revision$");
+ script_name("Web mirroring");
+
+ desc = "
+This script makes a mirror of the remote web site(s)
+and extracts the list of CGIs that are used by the remote
+host.
+
+It is suggested you give a high timeout value to
+this plugin and that you change the number of
+pages to mirror in the 'Options' section of
+the client.
+
+Risk factor : None";
+
+ script_description(desc);
+ script_summary("Performs a quick web mirror");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is Copyright (C) 2001 - 2003 Renaud Deraison");
+ script_family("Web application abuses");
+ script_dependencie("find_service.nes", "httpver.nasl", "DDI_Directory_Scanner.nasl");
+ script_require_ports("Services/www", 80);
+ script_add_preference(name:"Number of pages to mirror : ",
+ type:"entry",
+ value:"200");
+ script_add_preference(name:"Start page : ",
+ type:"entry",
+ value:"/");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+
+#-------------------------------------------------------------------------#
+function my_http_recv(socket)
+{
+ local_var h, b, l;
+
+ h = http_recv_headers2(socket:socket);
+ if(!h)return(NULL);
+
+ if("Content-Type" >< h)
+ {
+ if(!egrep(pattern:"^Content-Type: text/(xml|html)", string:h))return(h);
+ }
+
+ b = http_recv_body(socket: socket, headers: h, length:0);
+ return (string(h, "\r\n", b));
+}
+
+
+
+function my_http_keepalive_recv()
+{
+ local_var headers, body, length, tmp, chunked, killme;
+
+ killme = 0;
+ length = -1;
+ headers = http_recv_headers2(socket:__ka_socket);
+ if(strlen(headers) == 0)headers = http_recv_headers2(socket:__ka_socket);
+
+ if(ereg(pattern:"^HEAD.*HTTP/.*", string:__ka_last_request))
+ {
+ # HEAD does not return a body
+ return(headers);
+ }
+
+ if("Content-Type" >< headers)
+ {
+ if(!egrep(pattern:"^Content-Type: text/(xml|html)", string:headers))
+ {
+ http_close_socket(__ka_socket);
+ __ka_socket = 0;
+ return(headers);
+ }
+ }
+
+ if("Content-Length" >< headers)
+ {
+ tmp = egrep(string:headers, pattern:"^Content-Length: [0-9]*");
+ length = int(ereg_replace(string:tmp, pattern:"^Content-Length: ([0-9]*)", replace:"\1"));
+ }
+
+
+
+ if((length < 0) && (egrep(pattern:"transfer-encoding: chunked", string:headers, icase:TRUE)))
+ {
+ while(1)
+ {
+ tmp = recv_line(socket:__ka_socket, length:4096);
+ length = hex2dec(xvalue:tmp);
+ if(length > 512*1024)
+ {
+ length = 512*1024;
+ killme = 1;
+ }
+ body = string(body, recv(socket:__ka_socket, length:length+2, min:length+2));
+ if(strlen(body) > 512*1024)killme = 1;
+
+ if(length == 0 || killme){
+ http_keepalive_check_connection(headers:headers);
+ return(string(headers,"\r\n", body)); # This is expected - don't put this line before the previous
+ }
+ }
+ }
+
+
+ if(length >= 0)
+ {
+ if(length > 512*1024)length = 512*1024;
+
+ body = recv(socket:__ka_socket, length:length, min:length);
+ }
+ else {
+ # If we don't have the length, we close the connection to make sure
+ # the next request won't mix up the replies.
+
+ #display("ERROR - Keep Alive, but no length!!!\n", __ka_last_request);
+ body = recv(socket:__ka_socket, length:16384);
+ http_close_socket(__ka_socket);
+ __ka_socket = http_open_socket(__ka_port);
+ }
+
+
+
+ http_keepalive_check_connection(headers:headers);
+ return(string(headers,"\r\n", body));
+}
+
+
+
+function my_http_keepalive_send_recv(port, data)
+{
+ local_var id, n;
+
+ if(data == NULL)
+ return;
+
+ if(__ka_enabled == -1)__ka_enabled = http_keepalive_enabled(port:port);
+
+
+
+ if(__ka_enabled == 0)
+ {
+ local_var soc, r;
+ soc = http_open_socket(port);
+ if(!soc)return NULL;
+ send(socket:soc, data:data);
+ r = my_http_recv(socket:soc);
+ http_close_socket(soc);
+ return r;
+ }
+
+
+ if((port != __ka_port)||(!__ka_socket))
+ {
+ if(__ka_socket)http_close_socket(__ka_socket);
+ __ka_port = port;
+ __ka_socket = http_open_socket(port);
+ if(!__ka_socket)return NULL;
+ }
+
+ id = stridx(data, string("\r\n\r\n"));
+ data = str_replace(string:data, find:"Connection: Close", replace:"Connection: Keep-Alive", count:1);
+ __ka_last_request = data;
+ n = send(socket:__ka_socket, data:data);
+ if(n <= 0)
+ {
+ http_close_socket(__ka_socket);
+ __ka_socket = http_open_socket(__ka_port);
+ if(__ka_socket == 0)return NULL;
+ send(socket:__ka_socket, data:data);
+ }
+
+ return(my_http_keepalive_recv());
+}
+
+#-------------------------------------------------------------------#
+
+
+function add_cgi_dir(dir)
+{
+ local_var d, dirs, req, res;
+
+ if ( num_cgi_dirs > max_cgi_dirs ) return 0;
+
+ req = http_get(item:string(dir, "/non-existant-", rand()), port:port);
+ req = my_http_keepalive_send_recv(port:port, data:req);
+ if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 404 ", string:req))
+ {
+ dirs = cgi_dirs();
+ foreach d (dirs)
+ {
+ if(d == dir)return(0);
+ }
+
+ if(isnull(CGI_Dirs_List[dir]))
+ {
+ #display(CGI_Dirs_List[dir], "\n");
+ set_kb_item(name:"/tmp/cgibin", value:dir);
+ CGI_Dirs_List[dir] = 1;
+ num_cgi_dirs ++;
+ }
+ }
+}
+
+
+#--------------------------------------------------------------------------#
+
+function add_30x(url)
+{
+ if(isnull(URLs_30x_hash[url]))
+ {
+ set_kb_item(name:string("www/", port, "/content/30x"), value:url);
+ URLs_30x_hash[url] = 1;
+ }
+}
+
+
+function add_auth(url)
+{
+ if(isnull(URLs_auth_hash[url]))
+ {
+ set_kb_item(name:string("www/", port, "/content/auth_required"), value:url);
+ URLs_auth_hash[url] = 1;
+ if(url == "/")RootPasswordProtected = 1;
+ }
+}
+
+#--------------------------------------------------------------------------#
+
+num_url = 0;
+
+function add_url(url)
+{
+ local_var ext, dir;
+
+ if ( num_url > 100 ) return 0;
+
+ if(debug > 5)display("**** ADD URL ", url, "\n");
+ if(isnull(URLs_hash[url]))
+ {
+ URLs = make_list(URLs, url);
+ URLs_hash[url] = 0;
+
+ url = ereg_replace(string:url,
+ pattern:"(.*)\?.*",
+ replace:"\1");
+
+
+ ext = ereg_replace(pattern:".*\.([^\.]*)$", string:url, replace:"\1");
+ if(strlen(ext) && ext[0] != "/")
+ {
+ set_kb_item(name:string("www/", port, "/content/extensions/", ext), value:url);
+ }
+
+ dir = dir(url:url);
+ if(dir && !Dirs[dir])
+ {
+ Dirs[dir] = 1;
+ set_kb_item(name:string("www/", port, "/content/directories"), value:dir);
+ if(isnull(URLs_hash[dir]))
+ {
+ URLs = make_list(URLs, dir);
+ if(Apache)URLs = make_list(URLs, string(dir, "/?D=A"));
+ else if(iPlanet)URLs = make_list(URLs, string(dir, "/?PageServices"));
+ URLs_hash[dir] = 0;
+ }
+ }
+ }
+}
+
+function cgi2hash(cgi)
+{
+ local_var cur_cgi, cur_arg, i, ret;
+
+ ret = make_list();
+
+ for(i=0;i<strlen(cgi);i++)
+ {
+ if(cgi[i] == " " && cgi[i+1] == "[")
+ {
+ cur_arg = "";
+ for(i=i+2;i<strlen(cgi);i++)
+ {
+ if(cgi[i] == "]")
+ {
+ ret[cur_cgi] = cur_arg;
+ cur_cgi = "";
+ cur_arg = "";
+ if(i + 2 >= strlen(cgi))return ret;
+ i += 2;
+ break;
+ }
+ else cur_arg += cgi[i];
+ }
+ }
+ cur_cgi += cgi[i];
+ }
+ return ret;
+}
+
+function hash2cgi(hash)
+{
+ local_var ret, h;
+
+ ret = "";
+ foreach h (keys(hash))
+ {
+ ret += string(h, " [", hash[h], "] ");
+ }
+ return ret;
+}
+
+
+function add_cgi(cgi, args)
+{
+ local_var mydir, tmp, a, new_args, common, c;
+
+ args = string(args);
+
+ if(isnull(CGIs[cgi]))
+ {
+ CGIs[cgi] = args;
+ mydir = dir(url:cgi);
+ if(!CGIsDirs[mydir])
+ {
+ CGIsDirs[mydir] = 1;
+ add_cgi_dir(dir:mydir);
+ }
+ }
+ else {
+ tmp = cgi2hash(cgi:CGIs[cgi]);
+ new_args = cgi2hash(cgi:args);
+ common = make_list();
+ foreach c (keys(tmp))
+ {
+ common[c] = tmp[c];
+ }
+
+ foreach c (keys(new_args))
+ {
+ if(isnull(common[c]))common[c] = new_args[c];
+ }
+ CGIs[cgi] = hash2cgi(hash:common);
+ }
+}
+
+
+
+#---------------------------------------------------------------------------#
+
+function dir(url)
+{
+ return ereg_replace(pattern:"(.*)/[^/]*", string:url, replace:"\1");
+}
+
+function remove_cgi_arguments(url)
+{
+ local_var idx, cgi, cgi_args, args, arg, a, b;
+
+ # Remove the trailing blanks
+ while(url[strlen(url) - 1] == " ")
+ {
+ url = substr(url, 0, strlen(url) - 2);
+ }
+
+ idx = stridx(url, "?");
+ if(idx < 0)
+ return url;
+ else if(idx >= strlen(url) - 1)
+ {
+ cgi = substr(url, 0, strlen(url) - 2);
+ add_cgi(cgi:cgi, args:"");
+ return cgi;
+ }
+ else
+ {
+ if(idx > 1)cgi = substr(url, 0, idx - 1);
+ else cgi = ".";
+ cgi_args = split(substr(url, idx + 1, strlen(url) - 1), sep:"&");
+ foreach arg (make_list(cgi_args))
+ {
+ arg = arg - "&";
+ arg = arg - "amp;";
+ a = ereg_replace(string:arg, pattern:"(.*)=.*", replace:"\1");
+ b = ereg_replace(string:arg, pattern:".*=(.*)", replace:"\1");
+ if(a != b)
+ args = string(args, a , " [", b, "] ");
+ else
+ args = string(args, arg, " [] ");
+ }
+ add_cgi(cgi:cgi, args:args);
+ return cgi;
+ }
+}
+
+
+function basename(name, level)
+{
+ local_var i;
+
+ if(strlen(name) == 0)
+ return NULL;
+
+
+ for(i = strlen(name) - 1; i >= 0 ; i --)
+ {
+ if(name[i] == "/")
+ {
+ level --;
+ if(level < 0)
+ {
+ return(substr(name, 0, i));
+ }
+ }
+ }
+
+ # Level is too high, we return /
+ return "/";
+}
+
+
+
+function canonical_url(url, current)
+{
+ local_var num_dots, i, location ;
+
+#debug = int(5);
+
+ if(debug > 1)display("***** canonical '", url, "' (current:", current, ")\n");
+
+ if(strlen(url) == 0)
+ return NULL;
+
+ if(url[0] == "#")
+ return NULL;
+
+
+ if(url == "./" || url == ".")
+ return current;
+
+
+ if(debug > 2)display("**** canonical(again) ", url, "\n");
+
+ if(ereg(pattern:"[a-z]*:", string:url, icase:TRUE))
+ {
+ if(ereg(pattern:"^http://", string:url, icase:TRUE))
+ {
+ location = ereg_replace(string:url, pattern:"http://([^/]*)/.*", replace:"\1", icase:TRUE);
+ if(location != url)
+ {
+ if(location != get_host_name())return NULL;
+ else return remove_cgi_arguments(url:ereg_replace(string:url, pattern:"http://[^/]*/([^?]*)", replace:"/\1", icase:TRUE));
+ }
+ }
+ }
+ else
+ {
+ if(url == "//") return "/";
+
+ if(ereg(pattern:"^//.*", string:url, icase:TRUE))
+ {
+ location = ereg_replace(string:url, pattern:"//([^/]*)/.*", replace:"\1", icase:TRUE);
+ if(location != url)
+ {
+ if(location == get_host_name())return remove_cgi_arguments(url:ereg_replace(string:url, pattern:"//[^/]*/([^?]*)", replace:"/\1", icase:TRUE));
+ }
+ return NULL;
+ }
+
+ if(url[0] == "/")
+ return remove_cgi_arguments(url:url);
+ else
+ {
+ i = 0;
+ num_dots = 0;
+
+ while(i < strlen(url) - 2 && url[i] == "." && url[i+1] == "." && url[i+2] == "/")
+ {
+ num_dots ++;
+ url = url - "../";
+ if(strlen(url) == 0)break;
+ }
+
+ while(i < strlen(url) && url[i] == "." && url[i+1] == "/")
+ {
+ url = url - "./";
+ if(strlen(url) == 0)break;
+ }
+ url = string(basename(name:current, level:num_dots), url);
+ }
+
+ i = stridx(url, "#");
+ if(i >= 0)url = substr(url, 0, i - 1);
+
+
+ if(url[0] != "/")
+ return remove_cgi_arguments(string("/", url));
+ else
+ return remove_cgi_arguments(url:url);
+ }
+ return NULL;
+}
+
+
+
+#--------------------------------------------------------------------#
+
+
+function my_http_get(item, port)
+{
+ local_var ret, accept, idx;
+
+ ret = http_get(item:page, port:port);
+ accept = egrep(string:ret, pattern:"^Accept:.*");
+ ret = ret - accept;
+ idx = stridx(ret, string("\r\n\r\n"));
+
+
+ ret = insstr(ret, string("\r\nAccept: text/html, text/xml\r\n\r\n"), idx);
+ return ret;
+}
+
+
+function extract_location(data)
+{
+ local_var loc, url;
+
+
+
+ loc = egrep(string:data, pattern:"^Location: ");
+ if(!loc) return NULL;
+
+ loc = loc - string("\r\n");
+ loc = ereg_replace(string:loc,
+ pattern:"Location: (.*)$",
+ replace:"\1");
+
+
+
+ url = canonical_url(url:loc, current:"/");
+ if( url )
+ {
+ add_url(url : url);
+ return url;
+ }
+
+ return NULL;
+}
+
+
+
+function retr( port, page )
+{
+ local_var req, resp, q;
+
+ if( debug )display("*** RETR ", page, "\n");
+
+ req = my_http_get(item:page, port:port);
+ resp = my_http_keepalive_send_recv(port:port, data:req);
+ if( resp == NULL ) exit(0); # No web server
+
+ if(!match(pattern:"HTTP* 200 *", string:resp))
+ {
+ if(match(pattern:"HTTP* 401 *", string:resp) ||
+ match(pattern:"HTTP* 403 *", string:resp))
+ {
+ add_auth(url:page);
+ return NULL;
+ }
+ if(match(pattern:"HTTP* 301 *", string:resp) ||
+ match(pattern:"HTTP* 302 *", string:resp))
+ {
+ q = egrep(pattern:"^Location:.*", string:resp);
+ add_30x(url:page);
+
+ # Don't echo back what we added ourselves...
+ if(!(("?PageServices" >< page || "?D=A" >< page) && ("?PageServices" >< q || "?D=A" >< q)))
+ extract_location(data:resp);
+ return NULL;
+ }
+ }
+
+ if(egrep(pattern:"^Server:.*Apache.*", string:resp))Apache ++;
+ else if(egrep(pattern:"^Server:.*Netscape.*", string:resp))iPlanet ++;
+
+ if(!egrep(pattern:"^Content-Type: text/(xml|html).*", string:resp))
+ return NULL;
+ else
+ {
+ resp = strstr(resp, string("\r\n\r\n"));
+ if(!resp)return NULL; # Broken web server ?
+ resp = str_replace(string:resp, find:string("\r\n"), replace:" ");
+ resp = str_replace(string:resp, find:string("\n"), replace:" ");
+ resp = str_replace(string:resp, find:string("\t"), replace:" ");
+ return resp;
+ }
+}
+
+#---------------------------------------------------------------------------#
+
+
+function token_split(content)
+{
+ local_var i, j, k, str;
+ local_var ret, len, num;
+
+ num = 0;
+
+ ret = make_list();
+ len = strlen(content);
+
+ for (i=0;i<len;i++)
+ {
+ if(((i + 3) < len) && content[i]=="<" && content[i+1]=="!" && content[i+2]=="-" && content[i+3]=="-")
+ {
+ j = stridx(content, "-->", i);
+ if( j < 0)return(ret);
+ i = j;
+ }
+ else
+ if(content[i]=="<")
+ {
+ str = "";
+ i ++;
+
+ while(content[i] == " ")i ++;
+
+ for(j = i; j < len ; j++)
+ {
+ if(content[j] == '"')
+ {
+ k = stridx(content, '"', j + 1);
+ if(k < 0){
+ return(ret); # bad page
+ }
+ str = str + substr(content, j, k);
+ j = k;
+ }
+ else if(content[j] == '>')
+ {
+ if(ereg(pattern:"^(a|area|frame|meta|iframe|link|img|form|/form|input|button|textarea|select|applet)( .*|$)", string:str, icase:TRUE))
+ {
+ num ++;
+ ret = make_list(ret, str);
+ if ( num > 50 ) return ret; # Too many items
+ }
+ break;
+ }
+ else str = str + content[j];
+ }
+ i = j;
+ }
+ }
+
+ return(ret);
+}
+
+
+
+function token_parse(token)
+{
+ local_var ret, i, j, len, current_word, word_index, current_value, char;
+
+
+ ret = make_list();
+ len = strlen(token);
+ current_word = "";
+ word_index = 0;
+
+ for( i = 0 ; i < len ; i ++)
+ {
+ if((token[i] == " ")||(token[i] == "="))
+ {
+ while(i+1 < len && token[i+1] == " ")i ++;
+ if(i >= len)break;
+
+ if(word_index == 0)
+ {
+ ret["nasl_token_type"] = tolower(current_word);
+ }
+ else
+ {
+ while(i+1 < len && token[i] == " ")i ++;
+ if(token[i] != "=")
+ {
+ ret[tolower(current_word)] = NULL;
+ }
+ else
+ {
+ i++;
+ char = NULL;
+ if(i >= len)break;
+ if(token[i] == '"')char = '"';
+ else if(token[i] == "'")char = "'";
+
+ if(!isnull(char))
+ {
+ j = stridx(token, char, i + 1);
+ if(j < 0)
+ {
+ if(debug)display("PARSE ERROR 1\n");
+ return(ret); # Parse error
+ }
+ ret[tolower(current_word)] = substr(token, i + 1, j - 1);
+ while(j+1 < len && token[j+1]==" ")j++;
+ i = j;
+ }
+ else
+ {
+ j = stridx(token, ' ', i + 1);
+ if(j < 0)
+ {
+ j = strlen(token);
+ }
+ ret[tolower(current_word)] = substr(token, i, j - 1);
+ i = j;
+ }
+ }
+ }
+ current_word = "";
+ word_index ++;
+ }
+ else {
+ if(i < len)current_word = current_word + token[i];
+ }
+ }
+
+ if(!word_index)ret["nasl_token_type"] = tolower(current_word);
+ return ret;
+}
+
+
+#-------------------------------------------------------------------------#
+
+function parse_java(elements)
+{
+ archive = elements["archive"];
+ code = elements["code"];
+ codebase = elements["codebase"];
+
+ if (codebase)
+ {
+ if (archive)
+ set_kb_item(name:string("www/", port, "/java_classfile"), value:string(codebase,"/",archive));
+ if (code)
+ set_kb_item(name:string("www/", port, "/java_classfile"), value:string(codebase,"/",code));
+ }
+ else
+ {
+ if (archive)
+ set_kb_item(name:string("www/", port, "/java_classfile"), value:archive);
+ if (code)
+ set_kb_item(name:string("www/", port, "/java_classfile"), value:code);
+ }
+}
+
+
+
+
+
+
+
+function parse_javascript(elements, current)
+{
+ local_var url, pat;
+
+ if(debug > 15)display("*** JAVASCRIPT\n");
+
+ pat = string(".*window\\.open\\('([^',", raw_string(0x29), "]*)'.*\\)*");
+ url = ereg_replace(pattern:pat,
+ string:elements["onclick"],
+ replace:"\1",
+ icase:TRUE);
+
+
+ if( url == elements["onclick"])
+ return NULL;
+
+ url = canonical_url(url:url, current:current);
+ if( url )
+ {
+ add_url(url : url);
+ return url;
+ }
+
+ return NULL;
+}
+
+
+function parse_dir_from_src(elements, current)
+{
+ local_var src, dir;
+
+ src = elements["src"];
+ if( ! src ) return NULL;
+
+ src = canonical_url(url:src, current:current);
+ dir = dir(url:src);
+ if(dir && !Dirs[dir])
+ {
+ Dirs[dir] = 1;
+ set_kb_item(name:string("www/", port, "/content/directories"), value:dir);
+ if(isnull(URLs_hash[dir]))
+ {
+ URLs = make_list(URLs, dir);
+ URLs_hash[dir] = 0;
+ }
+ }
+}
+
+
+function parse_href_or_src(elements, current)
+{
+ local_var href;
+
+ href = elements["href"];
+ if(!href)href = elements["src"];
+
+ if(!href){
+ return NULL;
+ }
+
+ href = canonical_url(url:href, current:current);
+ if( href )
+ {
+ add_url(url: href);
+ return href;
+ }
+}
+
+
+function parse_refresh(elements, current)
+{
+ local_var href, content, t, sub;
+
+ content = elements["content"];
+
+ if(!content)
+ return NULL;
+ t = strstr(content, ";");
+ if( t != NULL ) content = substr(t, 1, strlen(t) - 1);
+
+ content = string("a ", content);
+ sub = token_parse(token:content);
+
+ if(isnull(sub)) return NULL;
+
+ href = sub["url"];
+ if(!href)
+ return NULL;
+
+ href = canonical_url(url:href, current:current);
+ if ( href )
+ {
+ add_url(url: href);
+ return href;
+ }
+}
+
+
+function parse_form(elements, current)
+{
+ local_var action;
+
+ action = elements["action"];
+
+ action = canonical_url(url:action, current:current);
+ if ( action )
+ return action;
+ else
+ return NULL;
+}
+
+
+function pre_parse(data, src_page)
+{
+ local_var php_path, fp_save, data2;
+
+ if ("Index of /" >< data)
+ {
+ if(!Misc[src_page])
+ {
+ if("?D=A" >!< src_page && "?PageServices" >!< src_page)
+ {
+ misc_report = misc_report + string("Directory index found at ", src_page, "\n");
+ Misc[src_page] = 1;
+ }
+ }
+ }
+
+ if ("<title>phpinfo()</title>" >< data)
+ {
+ if(!Misc[src_page])
+ {
+ misc_report = misc_report + string("Extraneous phpinfo() script found at ", src_page, "\n");
+ Misc[src_page] = 1;
+ }
+
+ }
+
+ if("Fatal" >< data || "Warning" >< data)
+ {
+ data2 = strstr(data, "Fatal");
+ if(!data2)data2 = strstr(data, "Warning");
+
+ data2 = strstr(data2, "in <b>");
+
+ php_path = ereg_replace(pattern:"in <b>([^<]*)</b>.*", string:data2, replace:"\1");
+ if (php_path != data2)
+ {
+ if (!Misc[src_page])
+ {
+ misc_report = misc_report + string("PHP script discloses physical path at ", src_page, " (", php_path, ")\n");
+ Misc[src_page] = 1;
+ }
+ }
+ }
+
+
+ data2 = strstr(data, "unescape");
+
+ if(data2 && ereg(pattern:"unescape..(%([0-9]|[A-Z])*){200,}.*", string:data2))
+ {
+ if(!Misc[src_page])
+ {
+ misc_report += string(src_page, " seems to have been 'encrypted' with HTML Guardian\n");
+ guardian ++;
+ }
+ }
+
+ if("CREATED WITH THE APPLET PASSWORD WIZARD WWW.COFFEECUP.COM" >< data)
+ {
+ if(!Misc[src_page])
+ {
+ misc_report += string(src_page, " seems to contain links 'protected' by CoffeCup\n");
+ coffeecup++;
+ }
+
+
+ }
+
+ if("SaveResults" >< data)
+ {
+ fp_save = ereg_replace(pattern:string("(.*SaveResults.*U-File=)", quote, "(.*)", quote, ".*"), string:data, replace:"\2");
+ if (fp_save != data)
+ {
+ if (!Misc[src_page])
+ {
+ misc_report = misc_report + string("FrontPage form stores results in web root at ", src_page, " (", fp_save, ")\n");
+ Misc[src_page] = 1;
+ }
+ }
+ }
+}
+
+
+
+function parse_main(current, data)
+{
+ local_var tokens, elements, cgi, form_cgis, form_cgis_level, args, store_cgi;
+
+ form_cgis = make_list();
+ form_cgis_level = 0;
+ argz = NULL;
+ store_cgi = 0;
+ tokens = token_split(content: data);
+ foreach token (tokens)
+ {
+ elements = token_parse(token:token);
+ if(!isnull(elements))
+ {
+
+ if(elements["onclick"])
+ parse_javascript(elements:elements, current:current);
+
+ if ( elements["nasl_token_type"] == "applet")
+ parse_java(elements:elements);
+
+ if(elements["nasl_token_type"] == "a" ||
+ elements["nasl_token_type"] == "link" ||
+ elements["nasl_token_type"] == "frame" ||
+ elements["nasl_token_type"] == "iframe" ||
+ elements["nasl_token_type"] == "area")
+ if( parse_href_or_src(elements:elements, current:current) == NULL) {
+ if(debug > 20)display("ERROR - ", token, "\n");
+ }
+ if(elements["nasl_token_type"] == "img")
+ parse_dir_from_src(elements:elements, current:current);
+
+ if(elements["nasl_token_type"] == "meta")
+ parse_refresh(elements:elements, current:current);
+
+ if( elements["nasl_token_type"] == "form" )
+ {
+ cgi = parse_form(elements:elements, current:current);
+ if( cgi )
+ {
+ form_cgis[form_cgis_level] = cgi;
+ store_cgi = 1;
+ }
+ form_cgis_level ++;
+ }
+
+ if( elements["nasl_token_type"] == "/form")
+ {
+ form_cgis_level --;
+ if( store_cgi != 0) add_cgi(cgi:form_cgis[form_cgis_level], args:argz);
+ argz = "";
+ store_cgi = 0;
+ }
+
+ if( elements["nasl_token_type"] == "input" ||
+ elements["nasl_token_type"] == "select")
+ {
+ if(elements["name"])
+ argz += string( elements["name"], " [", elements["value"], "] ");
+ }
+ }
+ }
+}
+
+
+#----------------------------------------------------------------------#
+# MAIN() #
+#----------------------------------------------------------------------#
+
+
+
+start_page = script_get_preference("Start page : ");
+if(isnull(start_page) || start_page == "")start_page = "/";
+
+
+max_pages = int(script_get_preference( "Number of pages to mirror : " ));
+if(max_pages <= 0)max_pages = 30;
+
+dirs = get_kb_list(string("www/", port, "/content/directories"));
+
+
+num_cgi_dirs = 0;
+if ( thorough_tests ) max_cgi_dirs = 1024;
+else max_cgi_dirs = 16;
+
+
+
+debug = 0;
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+URLs = make_list(start_page);
+if(dirs) URLs = make_list(start_page, dirs);
+URLs_hash[start_page] = 0;
+
+
+Apache = 0;
+iPlanet = 0;
+
+CGIs = make_list();
+Misc = make_list();
+Dirs = make_list();
+
+CGI_Dirs_List = make_list();
+
+URLs_30x_hash = make_list();
+URLs_auth_hash = make_list();
+
+
+Code404 = make_list();
+
+misc_report = "";
+cnt = 0;
+
+RootPasswordProtected = 0;
+
+guardian = 0;
+coffeecup = 0;
+
+foreach URL (URLs)
+{
+ if(!URLs_hash[URL])
+ {
+ page = retr(port:port, page:URL);
+ cnt ++;
+ pre_parse(src_page:URL, data:page);
+ parse_main(data:page, current:URL);
+ URLs_hash[URL] = 1;
+ if(cnt >= max_pages)break;
+ }
+}
+
+
+if(cnt == 1)
+{
+ if(RootPasswordProtected)
+ {
+ set_kb_item(name:string("www/", port, "/password_protected"), value:TRUE);
+ }
+}
+foreach URL (URLs)
+{
+ display(URL,"\n");
+}
+
+display("-----------------------------------------\n");
+
+
+report = "";
+
+foreach foo (keys(CGIs))
+{
+ args = CGIs[foo];
+ if(!args) args = "";
+ set_kb_item(name:string("www/", port, "/cgis"), value:string(foo, " - ", args));
+
+
+ if(!report)
+ report = string("The following CGI have been discovered :\n\nSyntax : cginame (arguments [default value])\n\n", foo, " (", args, ")\n");
+ else
+ report = string(report, foo, " (", args, ")\n");
+}
+
+if(misc_report)
+{
+
+ report = string(report, "\n\n", misc_report);
+}
+
+
+if(guardian)
+{
+ report += string("
+
+HTML Guardian is a tool which claims to encrypt web pages, whereas it simply
+does a transposition of the content of the page. It is is no way a safe
+way to make sure your HTML pages are protected.
+
+See also : http://www.securityfocus.com/archive/1/315950
+BID : 7169");
+}
+
+
+if(coffeecup)
+{
+ report += "
+
+CoffeeCup Wizard is a tool which claims to encrypt links to web pages,
+to force users to authenticate before they access the links. However,
+the 'encryption' used is a simple transposition method which can be
+decoded without the need of knowing a real username and password.
+
+BID : 6995 7023";
+}
+
+if(strlen(report))
+{
+ security_note(port:port, data:report);
+}
+
Property changes on: trunk/openvas-plugins/scripts/webmirror.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Modified: trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl 2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl 2009-10-02 17:48:14 UTC (rev 5358)
@@ -50,7 +50,7 @@
exit(0);
}
-include("sunrpc_func.inc");
+include("misc_func.inc");
g_timeout = 15; # Must be greater than the maximum sleep value
RPC_PROG = 100028;
@@ -116,7 +116,7 @@
tcp_ports = get_kb_list('Services/RPC/ypupdated');
if (isnull(tcp_ports))
{
- port = get_rpc_port2(program: RPC_PROG, protocol: IPPROTO_TCP);
+ port = get_rpc_port(program: RPC_PROG, protocol: IPPROTO_TCP);
if (port) tcp_ports = make_list(port);
}
@@ -126,7 +126,7 @@
udp_ports = get_kb_list('Services/udp/RPC/ypupdated');
if (isnull(udp_ports))
{
- port = get_rpc_port2(program: RPC_PROG, protocol: IPPROTO_UDP);
+ port = get_rpc_port(program: RPC_PROG, protocol: IPPROTO_UDP);
if (port) udp_ports = make_list(port);
}
More information about the Openvas-commits
mailing list