[Openvas-commits] r5474 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Sun Oct 11 19:51:18 CEST 2009


Author: mime
Date: 2009-10-11 19:51:15 +0200 (Sun, 11 Oct 2009)
New Revision: 5474

Added:
   trunk/openvas-plugins/scripts/jd_web_detect.nasl
   trunk/openvas-plugins/scripts/phplive_36226.nasl
   trunk/openvas-plugins/scripts/phplive_detect.nasl
   trunk/openvas-plugins/scripts/sympa_30727.nasl
   trunk/openvas-plugins/scripts/thin_webserver_detect.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-10 14:11:46 UTC (rev 5473)
+++ trunk/openvas-plugins/ChangeLog	2009-10-11 17:51:15 UTC (rev 5474)
@@ -1,3 +1,12 @@
+2009-10-11  Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/sympa_30727.nasl,
+	scripts/jd_web_detect.nasl,
+	scripts/thin_webserver_detect.nasl,
+	scripts/phplive_36226.nasl,
+	scripts/phplive_detect.nasl:
+	Added new plugins.
+
 2009-10-10  Thomas Reinke <reinke at securityspace.com>
 
 	* scripts/sles9p5009131.nasl,

Added: trunk/openvas-plugins/scripts/jd_web_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/jd_web_detect.nasl	2009-10-10 14:11:46 UTC (rev 5473)
+++ trunk/openvas-plugins/scripts/jd_web_detect.nasl	2009-10-11 17:51:15 UTC (rev 5474)
@@ -0,0 +1,153 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# JDownloader Web Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+JDownloader ##WEBSERVICE## is running at this port. JDownloader is open
+source, platform independent and written completely in Java. It
+simplifies downloading files from One-Click-Hosters like
+Rapidshare.com or Megaupload.com.
+
+See also:
+http://jdownloader.org
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100301);
+ script_version ("1.0-$Revision$");
+
+ script_name("JDownloader Web Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of JDownloader Webinterface and/or Webserver");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 8765, 9666);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("misc_func.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:8765);
+if(!get_port_state(port))exit(0);
+
+ url = string("/");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )exit(0);
+
+ if('WWW-Authenticate: Basic realm="JDownloader' >< buf) {
+  
+  JD = TRUE;
+  JD_WEBINTERFACE = TRUE;
+  set_kb_item(name:string("www/", port, "/password_protected"), value:TRUE);
+
+  userpass  = string("JD:JD"); # default pw
+  userpass64 = base64(str:userpass);
+  req = string("GET / HTTP/1.0\r\nAuthorization: Basic ",userpass64,"\r\n\r\n");
+  buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+  
+  if(buf) {  
+    if("JDownloader - WebInterface" >< buf) {
+      DEFAULT_PW = TRUE;
+      set_kb_item(name:string("www/", port, "/jdwebinterface/default_pw"), value:TRUE);
+      version = eregmatch(pattern:"Webinterface-([0-9]+)", string:buf);
+    }  
+  }  
+ } 
+ else if("JDownloader - WebInterface" >< buf) {
+  JD = TRUE;
+  JD_WEBINTERFACE = TRUE;
+  JD_UNPROTECTED = TRUE;
+  version = eregmatch(pattern:"Webinterface-([0-9]+)", string:buf);
+ } 
+ else if("Server: jDownloader" >< buf) {
+   JD = TRUE;
+   JD_WEBSERVER = TRUE;
+   set_kb_item(name:string("www/", port, "/jdwebserver"), value:TRUE);
+ }  
+   
+
+ if(JD) {
+
+   if(JD_WEBINTERFACE) {
+
+      if(version && !isnull(version[1])) {
+       vers = version[1];
+      } else {
+       vers = string("unknown");
+      }   
+
+      set_kb_item(name: string("www/", port, "/jdwebinterface"), value: string(vers));
+
+      info  = string("None\n\nJDownloader Webinterface Version '");
+      info += string(vers);
+      info += string("' was detected on the remote host\n");
+
+      desc  = ereg_replace(
+                string:desc,
+		pattern:"##WEBSERVICE##",
+		replace:"Webinterface"
+		);
+      
+      if(JD_UNPROTECTED) {
+         info += string("\nJDownloader Webinterface is *not* protected by password.\n");
+      } 
+      else if(DEFAULT_PW) {
+         info += string("\nIt was possible for OpenVAS to log in into the JDownloader Webinterface\nby using 'JD' (the default username and password) as username and password.\n");
+      }  
+
+      desc  = ereg_replace(
+                string:desc,
+                pattern:"None$",
+                replace:info
+                );
+   }
+
+   if(JD_WEBSERVER) {
+     desc = ereg_replace(
+               string:desc,
+               pattern:"##WEBSERVICE##",
+               replace:"HTTP Server"
+               );
+   }  
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ }
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/jd_web_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/phplive_36226.nasl
===================================================================
--- trunk/openvas-plugins/scripts/phplive_36226.nasl	2009-10-10 14:11:46 UTC (rev 5473)
+++ trunk/openvas-plugins/scripts/phplive_36226.nasl	2009-10-11 17:51:15 UTC (rev 5474)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHP Live! 'deptid' Parameter SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100303);
+ script_bugtraq_id(36226);
+ script_version ("1.0-$Revision$");
+
+ script_name("PHP Live! 'deptid' Parameter SQL Injection Vulnerability");
+
+desc = "Overview:
+PHP Live! is prone to an SQL-injection vulnerability because it
+fails to sufficiently sanitize user-supplied data before using it in
+an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+PHP Live! 3.3 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36226
+http://www.phplivesupport.com/?freshmeat
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if PHP Live! is prone to an SQL-injection vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("phplive_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/phplive")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(version_is_equal(version: vers, test_version: "3.3")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/phplive_36226.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/phplive_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/phplive_detect.nasl	2009-10-10 14:11:46 UTC (rev 5473)
+++ trunk/openvas-plugins/scripts/phplive_detect.nasl	2009-10-11 17:51:15 UTC (rev 5474)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHP Live! Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running PHP Live!. PHP Live! enables live help and live
+customer support communication directly from a website.
+
+See also:
+http://www.phplivesupport.com
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100302);
+ script_version ("1.0-$Revision$");
+
+ script_name("PHP Live! Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of PHP Live!");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/phplive","/support",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "Powered by <a [^>]+>PHP [<i>]*Live!", string: buf, icase: TRUE))
+ {
+     if(strlen(dir)>0) {
+        install=dir;
+     } else {
+        install=string("/");
+     }
+
+    vers = string("unknown");
+    ### try to get version 
+    version = eregmatch(string: buf, pattern: "v([0-9.]+)",icase:TRUE);
+
+    if ( !isnull(version[1]) ) {
+       vers=chomp(version[1]);
+    }
+
+    set_kb_item(name: string("www/", port, "/phplive"), value: string(vers," under ",install));
+
+    info = string("None\n\nPHP Live! Version '");
+    info += string(vers);
+    info += string("' was detected on the remote host in the following directory(s):\n\n");
+    info += string(install, "\n");
+
+    desc = ereg_replace(
+        string:desc,
+        pattern:"None$",
+        replace:info
+    );
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ }
+}
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/phplive_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/sympa_30727.nasl
===================================================================
--- trunk/openvas-plugins/scripts/sympa_30727.nasl	2009-10-10 14:11:46 UTC (rev 5473)
+++ trunk/openvas-plugins/scripts/sympa_30727.nasl	2009-10-11 17:51:15 UTC (rev 5474)
@@ -0,0 +1,94 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Sympa 'sympa.pl' Insecure Temporary File Creation Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100299);
+ script_bugtraq_id(30727);
+ script_cve_id("CVE-2008-4476");
+ script_version ("1.0-$Revision$");
+
+ script_name("Sympa 'sympa.pl' Insecure Temporary File Creation Vulnerability");
+
+desc = "Overview:
+Sympa creates temporary files in an insecure manner.
+
+An attacker with local access could potentially exploit this issue to
+perform symbolic-link attacks, overwriting arbitrary files in the
+context of the affected application.
+
+Successfully mounting a symlink attack may allow the attacker to
+delete or corrupt sensitive files, which may result in a denial of
+service. Other attacks may also be possible.
+
+Sympa 5.4.3 is vulnerable; other versions may also be affected.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/30727
+http://www.sympa.org/
+http://www.sympa.org/distribution/
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Sympa version is 5.4.3");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("sympa_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/sympa")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(version_is_equal(version: vers, test_version: "5.4.3")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/sympa_30727.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/thin_webserver_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/thin_webserver_detect.nasl	2009-10-10 14:11:46 UTC (rev 5473)
+++ trunk/openvas-plugins/scripts/thin_webserver_detect.nasl	2009-10-11 17:51:15 UTC (rev 5474)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Thin Webserver Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running Thin, a Ruby web server.
+
+See also:
+http://code.macournoyer.com/thin/
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100300);
+ script_version ("1.0-$Revision$");
+
+ script_name("Thin Webserver Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of Thin Webserver");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 3000);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:3000);
+if(!get_port_state(port))exit(0);
+
+banner = get_http_banner(port:port);
+if("Server: thin" >!< banner)exit(0);
+
+    vers = string("unknown");
+    ### try to get version 
+    version = eregmatch(string: banner, pattern: "Server: thin ([0-9.]+)",icase:TRUE);
+
+    if ( !isnull(version[1]) ) {
+       vers=chomp(version[1]);
+    }
+
+    set_kb_item(name: string("www/", port, "/thin"), value: string(vers));
+
+    info = string("None\n\nThin Version '");
+    info += string(vers);
+    info += string("' was detected on the remote host\n");
+
+    desc = ereg_replace(
+        string:desc,
+        pattern:"None$",
+        replace:info
+    );
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ 
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/thin_webserver_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision



More information about the Openvas-commits mailing list