[Openvas-commits] r5436 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Oct 8 08:22:35 CEST 2009


Author: chandra
Date: 2009-10-08 08:22:29 +0200 (Thu, 08 Oct 2009)
New Revision: 5436

Added:
   trunk/openvas-plugins/scripts/gb_avast_av_detect_win.nasl
   trunk/openvas-plugins/scripts/gb_avast_av_mult_vuln_oct09_win.nasl
   trunk/openvas-plugins/scripts/gb_backuppc_clientnamealias_sec_bypass_vuln.nasl
   trunk/openvas-plugins/scripts/gb_backuppc_detect.nasl
   trunk/openvas-plugins/scripts/gb_e107_referer_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_linkspheric_detect.nasl
   trunk/openvas-plugins/scripts/gb_linkspheric_viewlisting_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_phpgenealogie_detect.nasl
   trunk/openvas-plugins/scripts/gb_phpgenealogie_rfi_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/ChangeLog	2009-10-08 06:22:29 UTC (rev 5436)
@@ -1,3 +1,16 @@
+2009-10-08  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/gb_phpgenealogie_detect.nasl,
+	scripts/gb_backuppc_clientnamealias_sec_bypass_vuln.nasl,
+	scripts/gb_phpgenealogie_rfi_vuln.nasl,
+	scripts/gb_linkspheric_detect.nasl,
+	scripts/gb_avast_av_mult_vuln_oct09_win.nasl,
+	scripts/gb_linkspheric_viewlisting_sql_inj_vuln.nasl,
+	scripts/gb_avast_av_detect_win.nasl,
+	scripts/gb_backuppc_detect.nasl,
+	scripts/gb_e107_referer_xss_vuln.nasl:
+	Added new plugins.
+
 2009-10-07  Jan-Oliver Wagner <jan-oliver.wagner at greenbone.net>
 
 	* scripts/webmirror.nasl: Added more information about

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-08 06:22:29 UTC (rev 5436)
@@ -73,14 +73,14 @@
 CVE-2009-3328			SecPod
 CVE-2009-3327			SecPod
 CVE-2009-3330			SecPod		svn		R
-CVE-2009-3369			SecPod
+CVE-2009-3369			SecPod		svn		L
 CVE-2009-2817			SecPod		svn		L
 CVE-2009-3366			SecPod		svn		R
 CVE-2009-3367			Secpod		svn		R
 CVE-2009-3364			SecPod		svn		L
 CVE-2009-3340			SecPod		svn		L
 CVE-2009-3431			SecPod		svn		L
-CVE-2009-3444			SecPod
+CVE-2009-3444			SecPod		svn		R
 CVE-2009-3455			SecPod
 CVE-2009-3454			SecPod		svn		L
 CVE-2009-3456			SecPod		svn		L
@@ -102,14 +102,20 @@
 CVE-2009-3125                   Greenbone       svn             R
 36390                           Greenbone       svn             R
 CVE-2009-3165                   Greenbone       svn             R
-CVE-2009-3523			SecPod
-CVE-2009-3522			SecPod
-CVE-2009-3524			SecPod
+CVE-2009-3523			SecPod		svn		L
+CVE-2009-3522			SecPod		svn		L
+CVE-2009-3524			SecPod		svn		L
 CVE-2009-3518			SecPod
 CVE-2009-3510			SecPod
-CVE-2009-3541			SecPod
+CVE-2009-3541			SecPod		svn		R
 CVE-2009-3484			SecPod
 36543				Greenbone	svn		R
 36391				Greenbone	svn		R
-CVE-2009-3545 			SecPod
-
+CVE-2009-3545			SecPod
+CVE-2009-3571			SecPod
+CVE-2009-3570			SecPod
+CVE-2009-3569			SecPod
+CVE-2009-3544			SecPod
+CVE-2009-3562			SecPod
+CVE-2009-3561			SecPod
+CVE-2009-3525			SecPod

Added: trunk/openvas-plugins/scripts/gb_avast_av_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_avast_av_detect_win.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_avast_av_detect_win.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,78 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_avast_av_detect_win.nasl 5171 2009-10-06 16:57:29Z oct $
+#
+# avast! AntiVirus Version Detection (Win)
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801110);
+  script_version("$Revision: 1.0 $");
+  script_name("avast! AntiVirus Version Detection (Win)");
+  desc = "
+  Overview: This script detects the installed version of avast! AntiVirus
+  and sets the result in KB.
+
+  Risk Factor: Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of avast! AntiVirus");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+path1 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+
+foreach path (make_list("avast!", "avast5"))
+{
+  avastName = registry_get_sz(key:path1 + path, item:"DisplayName");
+
+  if(avastName =~ "avast! (Free )?Antivirus")
+  {
+    avastVer = registry_get_sz(key:path1 + path, item:"DisplayVersion");
+
+    if(!(avastVer =~ "^([0-9]\.[0-9]+\.[0-9]+\.[0-9]+)"))
+    {
+      avastPath = registry_get_sz(key:path1 + path, item:"DisplayIcon");
+      share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:avastPath);
+      file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:avastPath);
+      avastVer = GetVer(file:file, share:share);
+    }
+    if(!isnull(avastVer)){
+      set_kb_item(name:"Avast!/AV/Win/Ver", value:avastVer);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_avast_av_detect_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_avast_av_mult_vuln_oct09_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_avast_av_mult_vuln_oct09_win.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_avast_av_mult_vuln_oct09_win.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_avast_av_mult_vuln_oct09_win.nasl 5171 2009-10-06 16:31:26Z oct $
+#
+# avast! Multiple Vulnerabilities - Oct09 (Win)
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801111);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3522", "CVE-2009-3523", "CVE-2009-3524");
+  script_bugtraq_id(36507);
+  script_name("avast! Multiple Vulnerabilities - Oct09 (Win)");
+  desc = "
+  Overview: This host is installed with avast! AntiVirus and is prone to multiple
+  vulnerabilities.
+
+  Vulnerability Insight:
+  - A boundary error exists in the 'aswMon2' kernel driver when processing
+    IOCTLs. This can be exploited to cause a stack-based buffer overflow
+    via a specially crafted 0xB2C80018 IOCTL.
+  - An error in the 'AavmKer4.sys' kernel driver that can be exploited to
+    corrupt memory via a specially crafted 0xB2D6000C or 0xB2D60034 IOCTL.
+  - An unspecified error exists in the ashWsFtr.dll library which can be
+    exploited to cause unknow impact.
+
+  Impact:
+  Successful exploitation will let the local attackers to cause a Denial of
+  Service or gain escalated privileges on the victim's system.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  avast! Home and Professional version prior to 4.8.1356 on Windows
+
+  Fix: Upgrade to avast! version 4.8.1356 or later
+  http://www.avast.com/eng/download.html
+
+  References:
+  http://secunia.com/advisories/36858/
+  http://www.securityfocus.com/archive/1/506681
+  http://www.vupen.com/english/advisories/2009/2761
+
+  CVSS Score:
+    CVSS Base Score     : 7.2 (AV:L/AC:L/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 5.6
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check  the version of avas ! Antivirus");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("gb_avast_av_detect_win.nasl");
+  script_require_keys("Avast!/AV/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+avastVer = get_kb_item("Avast!/AV/Win/Ver");
+if(isnull(avastVer)){
+  exit(0);
+}
+
+# Check for avast! versions prior to 4.8.1356
+if(version_is_less(version:avastVer, test_version:"4.8.1356")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_avast_av_mult_vuln_oct09_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_backuppc_clientnamealias_sec_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_backuppc_clientnamealias_sec_bypass_vuln.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_backuppc_clientnamealias_sec_bypass_vuln.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_backuppc_clientnamealias_sec_bypass_vuln.nasl 5063 2009-10-06 17:52:24Z oct $
+#
+# BackupPC 'ClientNameAlias' Function Security Bypass Vulnerability
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801107);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3369");
+  script_name("BackupPC 'ClientNameAlias' Function Security Bypass Vulnerability");
+  desc = "
+  Overview: This host has BackupPC intallation and is prone to security bypass
+  vulnerability.
+
+  Vulnerability Insight:
+  The security issue is caused due to the application allowing users to set the
+  'ClientNameAlias' option for configured hosts. This can be exploited to backup
+  arbitrary directories from client systems for which Rsync over SSH is
+  configured as a transfer method.
+
+  Impact:
+  Successful attacks may allow remote authenticated users to read and write
+  sensitive files by modifying ClientNameAlias to match another system, then
+  initiating a backup or restore on the victim's system.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  BackupPC version 3.1.0 and prior.
+
+  Fix:
+  No solution or patch is available as on 06th October, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://backuppc.sourceforge.net/
+  or
+  For Debian platform Update to version 3.1.0-7 from below link,
+  https://launchpad.net/debian/+source/backuppc/3.1.0-7
+  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542218
+
+  *****
+  NOTE: Ignore this warning if above mentioned patch is already applied.
+  *****
+
+  References:
+  http://osvdb.org/57236
+  http://secunia.com/advisories/36393
+  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542218
+
+  CVSS Score:
+    CVSS Base Score     : 8.5 (AV:N/AC:M/Au:SI/C:C/I:C/A:C)
+    CVSS Temporal Score : 6.3
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version of BackupPC");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("General");
+  script_dependencies("gb_backuppc_detect.nasl");
+  script_require_keys("BackupPC/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+backuppcVer = get_kb_item("BackupPC/Ver");
+if(backuppcVer)
+{
+  # Check for BackupPC version <= 3.1.0
+  if(version_in_range(version:backuppcVer, test_version:"3.0",
+                                           test_version2:"3.1.0")){
+     security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_backuppc_clientnamealias_sec_bypass_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_backuppc_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_backuppc_detect.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_backuppc_detect.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,65 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_backuppc_detect.nasl 5063 2009-10-06 16:05:29Z oct $
+#
+# BackupPC Version Detection
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801106);
+  script_version("$Revision: 1.0 $");
+  script_name("BackupPC Version Detection");
+  desc = "
+  Overview: This script detects the installed version of BackupPC and
+  sets the reuslt in KB.
+
+  Risk Factor: Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of BackupPC");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Service detection");
+  exit(0);
+}
+
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+backupSock = ssh_login_or_reuse_connection();
+if(!backupSock){
+  exit(0);
+}
+
+backupName = find_bin(prog_name:"BackupPC", sock:backupSock);
+foreach binName (backupName)
+{
+  backupVer = get_bin_version(full_prog_name:"cat", version_argv:binName,
+                               ver_pattern:"Version ([0-9]\.[0-9]\.[0-9]+"+
+                               "(beta[0-9])?)", sock:backupSock);
+  if(backupVer[1] != NULL){
+    set_kb_item(name:"BackupPC/Ver", value:backupVer[1]);
+  }
+}
+ssh_close_connection();


Property changes on: trunk/openvas-plugins/scripts/gb_backuppc_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_e107_referer_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_e107_referer_xss_vuln.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_e107_referer_xss_vuln.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_e107_referer_xss_vuln.nasl 5050 2009-10-06 16:29:41Z oct $
+#
+# e107 'Referer' Header Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800946);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3444");
+  script_name("e107 'Referer' Header Cross-Site Scripting Vulnerability");
+  desc = "
+  Overview: This host is running e107 and is prone to remote Cross-Site
+  Scripting vulnerability.
+
+  Vulnerability Insight:
+  The flaw exists due to error in 'email.php' in 'news.1' action. It does not
+  properly filter HTML code from user-supplied input in the HTTP 'Referer'
+  header before displaying the input.
+
+  Impact:
+  Attackers can exploit this issue to execute arbitrary HTML and script code
+  in a user's browser session in the context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  e107 version 0.7.16 and prior.
+
+  Fix:
+  No solution/patch is available as on 06th , October 2009. Information
+  regarding this issue will updated once the solution details are available.
+  For updates refer, http://e107.org/edownload.php
+
+  References:
+  http://websecurity.com.ua/3528/
+  http://www.vulnaware.com/?p=17929
+  http://secunia.com/advisories/36832/
+
+  CVSS Score:
+    CVSS Base Score     : 4.3 (AV:N/AC:M/Au:NR/C:N/I:P/A:N)
+    CVSS Temporal Score : 3.9
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Validate through the attack string");
+  script_category(ACT_MIXED_ATTACK);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+ePort = get_http_port(default:80);
+if(!ePort){
+  exit(0);
+}
+
+if(safe_checks()){
+  exit(0);
+}
+
+foreach dir (make_list("/", "/e107", "/cms", cgi_dirs()))
+{
+  sndReq = string('GET ' + dir + '/email.php?news.1 HTTP/1.1\r\n',
+                  'Host: ', get_host_name(),'\r\n',
+                  'Referer: ><script>alert(document.cookie)</script>\r\n',
+                  '\r\n');
+
+  rcvRes = http_send_recv(port:ePort, data:sndReq);
+  if(egrep(pattern:"^HTTP/.* 200 OK", string:rcvRes) &&
+     "alert(document.cookie)" >< rcvRes)
+  {
+    security_warning(ePort);
+    exit(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_e107_referer_xss_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_linkspheric_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_linkspheric_detect.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_linkspheric_detect.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_linkspheric_detect.nasl 5169 2009-10-08 10:10:24Z oct $
+#
+# linkSpheric Version Detection
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801112);
+  script_version("$Revision: 1.0 $");
+  script_name("linkSpheric Version Detection");
+  desc = "
+  Overview: This script detects the installed version of linkSpheric and
+  sets the result in KB.
+
+  Risk factor: Informational";
+
+  script_description(desc);
+  script_summary("Set version of linkSpheric in KB");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Service detection");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+spheric_port = get_http_port(default:80);
+if(!spheric_port){
+  spheric_port = 80;
+}
+
+if(!get_port_state(spheric_port)){
+  exit(0);
+}
+
+foreach dir (make_list("/linkSpheric", "/Spheric", "/", cgi_dirs()))
+{
+  sndReq = http_get(item:dir + "/admin/index.php", port:spheric_port);
+  rcvRes = http_send_recv(port:spheric_port, data:sndReq);
+
+  if("linkSpheric" >< rcvRes )
+  {
+    version = eregmatch(pattern:"linkSpheric version ([0-9.]+( Beta [0-9.])?)",
+                        string:rcvRes, icase:1);
+    if(isnull(version))
+    {
+      sndReq = http_get(item:dir + "/CHANGELOG", port:spheric_port);
+      rcvRes = http_send_recv(port:spheric_port, data:sndReq);
+      version = egrep(pattern:"version [0-9.]+[a-z0-9 ]+(release)",
+                      string:rcvRes, icase:1);
+      version = eregmatch(pattern:"version ([0-9.]+( Beta [0-9])?)",
+                          string:version, icase:1);
+    }
+    spheric_ver[1] = ereg_replace(pattern:" ", replace:".", string:version[1]);
+
+    if(!isnull(spheric_ver[1]))
+    {
+      set_kb_item(name:"www/" + spheric_port + "/linkSpheric",
+                  value:spheric_ver[1] + " under " + dir);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_linkspheric_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_linkspheric_viewlisting_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_linkspheric_viewlisting_sql_inj_vuln.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_linkspheric_viewlisting_sql_inj_vuln.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,112 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_linkspheric_viewlisting_sql_inj_vuln.nasl 5169 2009-10-08 11:43:17Z oct $
+#
+# linkSpheric 'viewListing.php' SQL Injection Vulnerability
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801113);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3510");
+  script_name("linkSpheric 'viewListing.php' SQL Injection Vulnerability");
+  desc = "
+  Overview: The host is running linkSpheric and is prone to SQL Injection
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to error in viewListing.php which can be exploited to cause
+  SQL injection via the 'listID' parameter.
+
+  Impact:
+  Successful exploitation could allow execution of arbitrary SQL commands in
+  the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  linkSpheric version 0.74 Beta 6 and prior.
+
+  Fix: No solution or patch is available as on 08th October, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://dataspheric.com/
+
+  References:
+  http://www.milw0rm.com/exploits/9316
+  https://launchpad.net/bugs/cve/2009-3510
+
+  CVSS Score:
+    CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 6.7
+  Risk factor: High";
+
+  script_description(desc);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_summary("Check through the attack string and version of linkSpheric");
+  script_category(ACT_MIXED_ATTACK);
+  script_family("Web application abuses");
+  script_dependencies("gb_linkspheric_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+spheric_port = get_http_port(default:80);
+if(!spheric_port){
+  exit(0);
+}
+
+spheric_ver = get_kb_item("www/" + spheric_port + "/linkSpheric");
+if(isnull(spheric_ver)){
+  exit(0);
+}
+
+spheric_ver = eregmatch(pattern:"^(.+) under (/.*)$", string:spheric_ver);
+if(!isnull(spheric_ver[2]) && !safe_checks())
+{
+  url = string(spheric_ver[2], "/viewListing.php?listID=-5+union+select+1,2," +
+               "3,4,5,6,7,8,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54" +
+               "657374,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27" +
+               ",28+from+users--");
+
+  sndReq = http_get(item:url, port:spheric_port);
+  rcvRes = http_send_recv(port:spheric_port, data:sndReq);
+
+  if(egrep(pattern: "OpenVAS-SQL-Injection-Test", string:rcvRes))
+  {
+    security_hole(spheric_port);
+    exit(0);
+  }
+}
+else
+{
+  if(spheric_ver[1] != NULL)
+  {
+    if(version_is_less_equal(version:spheric_ver[1], test_version:"0.74.Beta.6")){
+       security_hole(spheric_port);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_linkspheric_viewlisting_sql_inj_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_phpgenealogie_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpgenealogie_detect.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_phpgenealogie_detect.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,73 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_phpgenealogie_detect.nasl 5168 2009-10-07 16:25:36Z oct $
+#
+# PHPGenealogie Version Detection
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801007);
+  script_version("$Revision: 1.0 $");
+  script_name("PHPGenealogie Version Detection");
+  desc = "
+  Overview: This script detects the installed version of PHPGenealogie and
+  sets the result in KB.
+
+  Risk factor: Informational";
+
+  script_description(desc);
+  script_summary("Set the version of PHPGenealogie in KB");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Service detection");
+  script_dependencies("find_service.nes");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+phpgenPort = get_http_port(default:80);
+if(!phpgenPort){
+  phpgenPort = 80;
+}
+
+if(!get_port_state(phpgenPort)){
+  exit(0);
+}
+
+foreach path (make_list("/geneald", "/genealogie_sql", "/genealogie", cgi_dirs()))
+{
+  sndReq = http_get(item:string(path, "/Index2.php"), port:phpgenPort);
+  rcvRes = http_send_recv(port:phpgenPort, data:sndReq);
+  if("genealogie" >< rcvRes)
+  {
+    phpgenVer = eregmatch(pattern:"> ([0-9.]+)",string:rcvRes);
+    if(phpgenVer[1] != NULL)
+    {
+      set_kb_item(name:"www/" + phpgenPort + "/PHPGenealogie",
+                  value:phpgenVer[1] + " under " + path);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_phpgenealogie_rfi_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpgenealogie_rfi_vuln.nasl	2009-10-07 15:35:56 UTC (rev 5435)
+++ trunk/openvas-plugins/scripts/gb_phpgenealogie_rfi_vuln.nasl	2009-10-08 06:22:29 UTC (rev 5436)
@@ -0,0 +1,105 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_phpgenealogie_rfi_vuln.nasl 5168 2009-10-07 09:56:24Z oct $
+#
+# PHPGenealogie 'CoupleDB.php' Remote File Inclusion Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801008);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2009-3541");
+  script_name("PHPGenealogie 'CoupleDB.php' Remote File Inclusion Vulnerability");
+  desc = "
+  Overview: This host is running PHPGenealogie and is prone to Remote File
+  Inclusion vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to error in 'DataDirectory' parameter in 'CoupleDB.php' which
+  is not properly verified before being used to include files.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary code on
+  the vulnerable Web server.
+
+  Impact level: Application/System
+
+  Affected Software/OS:
+  PHPGenealogie version 2.0
+
+  Fix: No solution or patch is available as on 07th October, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://sourceforge.net/projects/phpgenealogie/files/
+
+  References:
+  http://www.milw0rm.com/exploits/9155
+  http://xforce.iss.net/xforce/xfdb/51728
+
+  CVSS Score:
+    CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 6.7
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version and attack of PHPGenealogie");
+  script_category(ACT_MIXED_ATTACK);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Web application abuses");
+  script_dependencies("gb_phpgenealogie_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+phpgenPort = get_http_port(default:80);
+if(!phpgenPort){
+  exit(0);
+}
+
+phpgenVer = get_kb_item("www/" + phpgenPort + "/PHPGenealogie");
+phpgenVer = eregmatch(pattern:"^(.+) under (/.*)$", string:phpgenVer);
+
+if((phpgenVer[2] != NULL) && (!safe_checks()))
+{
+  sndReq = http_get(item:string(phpgenVer[2], "/CoupleDB.php?Parametre=0&" +
+                         "DataDirectory=xyz/OpenVAS-RemoteFileInclusion.txt"),
+                    port:phpgenPort);
+  rcvRes = http_send_recv(port:phpgenPort, data:sndReq);
+  if("xyz/OpenVAS-RemoteFileInclusion.txt" >< rcvRes)
+  {
+    security_hole(phpgenPort);
+    exit(0);
+  }
+}
+else
+{
+  if(phpgenVer[1] != NULL)
+  {
+    if(version_is_equal(version:phpgenVer[1], test_version:"2.0")){
+      security_hole(phpgenPort);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_phpgenealogie_rfi_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list