[Openvas-commits] r9368 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Nov 9 13:58:29 CET 2010 

Author: mime
Date: 2010-11-09 13:58:26 +0100 (Tue, 09 Nov 2010)
New Revision: 9368

Added:
   trunk/openvas-plugins/scripts/gb_burning_board_44735.nasl
   trunk/openvas-plugins/scripts/gb_mahara_44705.nasl
   trunk/openvas-plugins/scripts/gb_php_44727.nasl
   trunk/openvas-plugins/scripts/gb_quick_tftp_44712.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2010-11-09 11:15:04 UTC (rev 9367)
+++ trunk/openvas-plugins/ChangeLog	2010-11-09 12:58:26 UTC (rev 9368)
@@ -1,3 +1,11 @@
+2010-11-09  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/gb_php_44727.nasl,
+	scripts/gb_burning_board_44735.nasl,
+	scripts/gb_mahara_44705.nasl,
+	scripts/gb_quick_tftp_44712.nasl:
+	Added new plugins.
+
 2010-11-05  Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/gb_bugzilla_44618.nasl,

Added: trunk/openvas-plugins/scripts/gb_burning_board_44735.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_burning_board_44735.nasl	2010-11-09 11:15:04 UTC (rev 9367)
+++ trunk/openvas-plugins/scripts/gb_burning_board_44735.nasl	2010-11-09 12:58:26 UTC (rev 9368)
@@ -0,0 +1,81 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Woltlab Burning Board 'locator.php' SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100896);
+ script_bugtraq_id(44735);
+ script_version ("1.0-$Revision$");
+
+ script_name("Woltlab Burning Board 'locator.php' SQL Injection Vulnerability");
+
+desc = "Overview:
+Woltlab Burning Board is prone to an SQL-injection vulnerability
+because it fails to sufficiently sanitize user-supplied data before
+using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+Woltlab Burning Board 2.5 is vulnerable; other versions may also
+be affected.
+
+References:
+https://www.securityfocus.com/bid/44735
+http://www.woltlab.com/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed Burning Board version is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("secpod_woltlab_burning_board_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(vers = get_version_from_kb(port:port,app:"BurningBoard")) {
+
+  if(version_is_equal(version: vers, test_version: "2.5")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_burning_board_44735.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_mahara_44705.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mahara_44705.nasl	2010-11-09 11:15:04 UTC (rev 9367)
+++ trunk/openvas-plugins/scripts/gb_mahara_44705.nasl	2010-11-09 12:58:26 UTC (rev 9368)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mahara 'groupviews.tpl' Cross Site Scripting Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100897);
+ script_bugtraq_id(44705);
+ script_cve_id("CVE-2010-3871");
+ script_version ("1.0-$Revision$");
+
+ script_name("Mahara 'groupviews.tpl' Cross Site Scripting Vulnerability");
+
+desc = "Overview:
+Mahara is prone to a cross-site scripting vulnerability because it
+fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary HTML and
+script code in the browser of an unsuspecting user in the context of
+the affected site. This may let the attacker steal cookie-based
+authentication credentials and launch other attacks.
+
+Versions prior to Mahara 1.3.3 are vulnerable.
+
+Solution:
+The vendor has released updates. Please see the references for
+details.
+
+References:
+https://www.securityfocus.com/bid/44705
+http://wiki.mahara.org/Release_Notes/1.3.3
+http://mahara.org/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed Mahara version is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("secpod_mahara_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(vers = get_version_from_kb(port:port,app:"Mahara")) {
+
+  if(version_is_less(version: vers, test_version: "1.3.3")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_mahara_44705.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_php_44727.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_44727.nasl	2010-11-09 11:15:04 UTC (rev 9367)
+++ trunk/openvas-plugins/scripts/gb_php_44727.nasl	2010-11-09 12:58:26 UTC (rev 9368)
@@ -0,0 +1,81 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHP 'mb_strcut()' Function Information Disclosure Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100898);
+ script_bugtraq_id(44727);
+ script_cve_id("CVE-2010-4156");
+ script_version ("1.0-$Revision$");
+
+ script_name("PHP 'mb_strcut()' Function Information Disclosure Vulnerability");
+
+desc = "Overview:
+PHP is prone to an information-disclosure vulnerability.
+
+Attackers can exploit this issue to obtain sensitive information that
+may lead to further attacks.
+
+Solution:
+Updates are available; please see the references for more information.
+
+References:
+https://www.securityfocus.com/bid/44727
+http://permalink.gmane.org/gmane.comp.security.oss.general/3715
+http://www.php.net/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed oho version is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("General");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("gb_php_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(!vers = get_kb_item(string("www/", port, "/PHP")))exit(0);
+
+if(!isnull(vers)) {
+
+  if(version_in_range(version: vers, test_version: "5", test_version2: "5.3.3")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_php_44727.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_quick_tftp_44712.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_quick_tftp_44712.nasl	2010-11-09 11:15:04 UTC (rev 9367)
+++ trunk/openvas-plugins/scripts/gb_quick_tftp_44712.nasl	2010-11-09 12:58:26 UTC (rev 9368)
@@ -0,0 +1,77 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Quick Tftp Server Pro Directory Traversal Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100899);
+ script_bugtraq_id(44712);
+ script_version ("1.0-$Revision$");
+
+ script_name("Quick Tftp Server Pro Directory Traversal Vulnerability");
+
+desc = "Overview:
+Quick Tftp Server Pro is prone to a directory-traversal vulnerability
+because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue can allow an attacker to retrieve arbitrary
+files outside of the FTP server root directory. This may aid in
+further attacks.
+
+Quick Tftp Server Pro 2.1 is vulnerable; other versions may also
+be affected.
+
+References:
+https://www.securityfocus.com/bid/44712
+http://www.tallsoft.com/tftpserver.htm";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if Quick Tftp Server Pro is prone to a directory-traversal vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Remote file access");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("tftpd_detect.nasl", "tftpd_backdoor.nasl");
+ script_require_keys("Services/udp/tftp");
+ script_exclude_keys('tftp/backdoor');
+ exit(0);
+}
+
+
+include("tftp.inc");
+
+port = get_kb_item("Services/udp/tftp");
+if (!port) port = 69;
+if (get_kb_item('tftp/'+port+'/backdoor')) exit(0);
+
+get = tftp_get(port:port, path:"../../../../../../../../../../../../boot.ini");
+if (isnull(get)) exit(0);
+
+if("[boot loader]" >< get) {
+  security_warning(port:port);
+  exit(0);
+}  
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_quick_tftp_44712.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

More information about the Openvas-commits mailing list