[Openvas-commits] r9046 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Sep 15 08:47:50 CEST 2010
Author: chandra
Date: 2010-09-15 08:47:45 +0200 (Wed, 15 Sep 2010)
New Revision: 9046
Added:
trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl
trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl
trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl
trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl
trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl
trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/cpe.inc
trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl
trunk/openvas-plugins/scripts/mantis_detect.nasl
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/ChangeLog 2010-09-15 06:47:45 UTC (rev 9046)
@@ -1,3 +1,24 @@
+2010-09-15 Chandrashekhar B <bchandra at secpod.com>
+
+ * scripts/gb_bugtracker_sql_inj_vuln.nasl,
+ scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl,
+ scripts/gb_smartertrack_mult_xss_vuln.nasl,
+ scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl,
+ scripts/gb_apple_safari_mult_vuln_sep10.nasl,
+ scripts/gb_mantis_xss_vuln.nasl,
+ scripts/gb_wiccle_web_builder_xss_vuln.nasl,
+ scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl,
+ scripts/gb_bugtracker_detect.nasl:
+ Added new plugins.
+
+ * scripts/cpe.inc:
+ Added new CPE.
+
+ * scripts/gb_phpmyadmin_42874.nasl: Added CVE.
+
+ * scripts/mantis_detect.nasl: Updated to detect
+ latest version.
+
2010-09-14 Veerendra G.G <veerendragg at secpod.com>
* scripts/gb_fedora_2010_14529_libglpng_fc13.nasl,
Modified: trunk/openvas-plugins/scripts/cpe.inc
===================================================================
--- trunk/openvas-plugins/scripts/cpe.inc 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/cpe.inc 2010-09-15 06:47:45 UTC (rev 9046)
@@ -885,7 +885,8 @@
"Adobe/Captivate/Ver", "^([0-9.]+)", "cpe:/a:adobe:captivate:",
"IBM-DB2/Remote/ver", "^([0-9.]+)", "cpe:/a:ibm:db2:",
"Google/Earth/Ver", "^([0-9.]+)", "cpe:/a:google:earth:",
-"www/*/Pecio_CMS", "^([0-9.]+)", "cpe:/a:pecio-cms:pecio_cms:"
+"www/*/Pecio_CMS", "^([0-9.]+)", "cpe:/a:pecio-cms:pecio_cms:",
+"www/*/btnet", "^([0-9.]+)", ""
);
Added: trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,96 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_adobe_prdts_sing_bof_vuln_win.nasl 11050 2010-09-13 10:30:34Z sep $
+#
+# Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Win)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801515);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2883");
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Win)");
+ desc = "
+ Overview: This host is installed with Adobe Reader/Acrobat and is prone to
+ buffer overflow vulnerability
+
+ Vulnerability Insight:
+ The flaw is caused due to a boundary error within 'CoolType.dll' when
+ processing the 'uniqueName' entry of SING tables in fonts.
+
+ Impact:
+ Successful exploitation will let attackers to crash an affected application or
+ execute arbitrary code by tricking a user into opening a specially crafted PDF
+ document.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Adobe Reader version 9.3.4 and prior.
+ Adobe Acrobat version 9.3.4 and prior on windows.
+
+ Fix: No solution or patch is available as on 13th Semtember, 2010. Information
+ regarding this issue will be updated once the solution details are available
+ For updates refer, http://www.adobe.com
+
+ References:
+ http://secunia.com/advisories/41340
+ http://www.adobe.com/support/security/advisories/apsa10-02.html
+ http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Adobe Reader/Acrobat");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_family("Buffer overflow");
+ script_dependencies("secpod_adobe_prdts_detect_win.nasl");
+ script_require_keys("Adobe/Acrobat/Win/Ver", "Adobe/Reader/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+readerVer = get_kb_item("Adobe/Reader/Win/Ver");
+if(!readerVer){
+ exit(0);
+}
+
+# Check for Adobe Reader version <= 9.3.4
+if(version_is_less(version:readerVer, test_version:"9.3.4"))
+{
+ security_hole(0);
+ exit(0);
+}
+
+acrobatVer = get_kb_item("Adobe/Acrobat/Win/Ver");
+if(!acrobatVer){
+ exit(0);
+}
+
+# Check for Adobe Acrobat version <= 9.3.4
+if(version_is_less_equal(version:acrobatVer, test_version:"9.3.4")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_adobe_reader_sing_bof_vuln_lin.nasl 11050 2010-09-13 10:30:34Z sep $
+#
+# Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Linux)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801516);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2883");
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Linux)");
+ desc = "
+ Overview: This host is installed with Adobe Reader and is prone to buffer
+ overflow vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to a boundary error within 'CoolType.dll' when
+ processing the 'uniqueName' entry of SING tables in fonts.
+
+ Impact:
+ Successful exploitation will let attackers to crash an affected application or
+ execute arbitrary code by tricking a user into opening a specially crafted PDF
+ document.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Adobe Reader version 9.3.4 and prior.
+
+ Fix: No solution or patch is available as on 13th September, 2010. Information
+ regarding this issue will be updated once the solution details are available
+ For updates refer, http://www.adobe.com
+
+ References:
+ http://secunia.com/advisories/41340
+ http://www.adobe.com/support/security/advisories/apsa10-02.html
+ http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Adobe Reader/Acrobat");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_family("Buffer overflow");
+ script_dependencies("gb_adobe_prdts_detect_lin.nasl");
+ script_require_keys("Adobe/Reader/Linux/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+readerVer = get_kb_item("Adobe/Reader/Linux/Version");
+if(!readerVer){
+ exit(0);
+}
+
+# Check for Adobe Reader version <= 9.3.4
+if(version_is_less(version:readerVer, test_version:"9.3.4")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_safari_mult_vuln_sep10.nasl 11073 2010-09-12 15:28:53Z sep $
+#
+# Apple Safari Multiple Vulnerabilities - Sep10
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801514);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-1805", "CVE-2010-1806", "CVE-2010-1807");
+ script_bugtraq_id(43049, 43048, 43047);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Apple Safari Multiple Vulnerabilities - Sep10");
+ desc = "
+
+ Overview: The host is installed with Apple Safari web browser and is prone
+ to multiple vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to,
+ - An use-after-free vulnerability in the application, which allows remote
+ attackers to execute arbitrary code via 'run-in' styling in an element,
+ related to object pointers.
+ - An untrusted search path vulnerability on Windows allows local users
+ to gain privileges via a Trojan horse 'explorer.exe'.
+ - An error exists in the handling of 'WebKit', which does not properly
+ validate floating-point data, which allows remote attackers to execute
+ arbitrary cod via a crafted HTML document.
+
+ Impact:
+ Successful exploitation allow attackers to execute arbitrary code or can
+ even crash the browser.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Apple Safari 5.x before 5.0.2 on Windows
+
+ Fix: Upgrade Apple Safari 5.0.2 or later,
+ For updates refer, http://www.apple.com/support/downloads/
+
+ References:
+ http://support.apple.com/kb/HT4333
+ http://lists.apple.com/archives/security-announce/2010//Sep/msg00001.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Apple Safari");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_family("General");
+ script_dependencies("secpod_apple_safari_detect_win_900003.nasl");
+ script_require_keys("AppleSafari/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+safVer = get_kb_item("AppleSafari/Version");
+if(!safVer){
+ exit(0);
+}
+
+# Grep for Apple Safari Version 5.x < 5.0.2((5.33.18.5)
+if(version_in_range(version:safVer, test_version:"5.0", test_version2:"5.33.18.4")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,78 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_bugtracker_detect.nasl 10932 2010-09-08 11:11:11Z sep $
+#
+# BugTracker.NET Version Detection
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801278);
+ script_version("$Revision$: 1.0");
+ script_tag(name:"risk_factor", value:"None");
+ script_name("BugTracker.NET Version Detection");
+ desc = "
+ Overview: The script detects the version of BugTracker.NET on remote host
+ and sets the KB. ";
+
+ script_description(desc);
+ script_summary("Check for BugTracker.NET version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Service detection");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get http port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+foreach dir (make_list("/btnet", "/bugtracker", "/", cgi_dirs()))
+{
+ ## Send and Recieve the response
+ sndReq = http_get(item:string(dir, "/about.html"), port:port);
+ rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:TRUE);
+
+ ## Confirm the application
+ if(">BugTracker.NET<" >< rcvRes)
+ {
+ ## Get BugTracker.NET Version
+ ver = eregmatch(pattern:'Version ([0-9.]+)', string:rcvRes);
+ if(ver[1])
+ {
+ ## Set the KB value
+ ## BugTracker.NET 3.4.4 showing its version as 3.4.3
+ set_kb_item(name:"www/" + port + "/btnet", value:ver[1] +" under "+ dir);
+ security_note(data:"BugTracker.NET Version " + ver[1] +
+ " running at location " + dir +
+ " was detected on the host", port:port);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_bugtracker_sql_inj_vuln.nasl 10932 2010-09-08 11:11:11Z sep $
+#
+# BugTracker.NET 'search.aspx' SQL Injection Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801279);
+ script_version("$Revision$: 1.0");
+ script_bugtraq_id(42784);
+ script_cve_id("CVE-2010-3188");
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("BugTracker.NET 'search.aspx' SQL Injection Vulnerability");
+ desc = "
+ Overview: The host is running BugTracker.NET and is prone to SQL injection
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused by improper validation of user-supplied input via the
+ custom field parameters to 'search.aspx' that allows attacker to manipulate
+ SQL queries by injecting arbitrary SQL code.
+
+ Impact:
+ Successful exploitation will let the attacker to cause SQL Injection attack
+ and gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ BugTracker.NET version 3.4.3 and prior.
+
+ Fix: Upgrade to BugTracker.NET version 3.4.4 or later,
+ For updates refer, http://www.ifdefined.com/bugtrackernet_download.html
+
+ References:
+ http://secunia.com/advisories/41150
+ http://xforce.iss.net/xforce/xfdb/61434
+ http://www.securityfocus.com/archive/1/archive/1/513385/100/0/threaded
+ http://sourceforge.net/projects/btnet/files/btnet_3_4_4_release_notes.txt/view
+ ";
+
+ script_description(desc);
+ script_summary("Check for the version of BugTracker.NET");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("gb_bugtracker_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get BugTracker Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check for BugTracker.NET version prior to 3.4.3
+if(ver = get_version_from_kb(port:port,app:"btnet"))
+{
+ if(version_is_less(version:ver, test_version: "3.4.3")){
+ security_hole(port:port);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,90 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mantis_xss_vuln.nasl 10996 2010-09-10 13:30:29 Sep $
+#
+# MantisBT Cross-site scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801449);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-2802");
+ script_tag(name:"cvss_base", value:"3.5");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("MantisBT Cross-site scripting Vulnerability");
+ desc = "
+ Overview: This host is running MantisBT and is prone to Cross-site scripting
+ Vulnerability.
+
+ Vulnerability Insight:
+ The application allows remote authenticated users to inject arbitrary web
+ script or HTML via an HTML document with a '.gif' filename extension,
+ related to inline attachments.
+
+ Impact:
+ Successful exploitation will allow attackers to conduct cross-site scripting
+ attacks.
+
+ Impact Level: Application.
+
+ Affected Software:
+ MantisBT version prior to 1.2.2
+
+ Fix: Upgrade to MantisBT version 1.2.2 or later
+ For updates refer, http://www.mantisbt.org/download.php
+
+ References:
+ http://www.mantisbt.org/blog/?p=113
+ http://www.openwall.com/lists/oss-security/2010/08/03/7
+ http://www.openwall.com/lists/oss-security/2010/08/02/16 ";
+
+ script_description(desc);
+ script_summary("Check for the version of MantisBT");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+ script_dependencies("mantis_detect.nasl");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+mantisPort = get_http_port(default:80);
+if(!get_port_state(mantisPort)){
+ exit(0);
+}
+
+## GET the version from KB
+mantisVer = get_version_from_kb(port:mantisPort,app:"mantis");
+
+if(mantisVer != NULL)
+{
+ ## Check for the MantisBT version
+ if(version_is_less(version:mantisVer, test_version:"1.2.2")){
+ security_warning(mantisPort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Modified: trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -1,6 +1,6 @@
###############################################################################
# OpenVAS Vulnerability Test
-# $Id$
+# $Id: gb_phpmyadmin_42874.nasl 8943 2010-09-02 14:10:00Z mime $
#
# phpMyAdmin Debug Backtrace Cross Site Scripting Vulnerability
#
@@ -28,6 +28,8 @@
{
script_id(100775);
script_bugtraq_id(42874);
+ script_cve_id("CVE-2010-2958");
+ script_tag(name:"cvss_base", value:"4.3");
script_version ("1.0-$Revision$");
script_name("phpMyAdmin Debug Backtrace Cross Site Scripting Vulnerability");
Property changes on: trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl
___________________________________________________________________
Name: svn:keywords
- Id Revision
+ Revision
Added: trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_phpmyadmin_setup_script_xss_vuln.nasl 11075 2010-09-14 12:40:45Z sep $
+#
+# phpMyAdmin Setup Script Request Cross Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801286);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-3263");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("phpMyAdmin Setup Script Request Cross Site Scripting Vulnerability");
+ desc = "
+ Overview: The host is running phpMyAdmin and is prone to Cross-Site Scripting
+ Vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused by an unspecified input validation error when processing
+ spoofed requests sent to setup script, which could be exploited by attackers
+ to cause arbitrary scripting code to be executed on the user's browser session
+ in the security context of an affected site.
+
+ Impact:
+ Successful exploitation will let the attackers to execute arbitrary web
+ script or HTML in a user's browser session in the context of an affected
+ site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ phpMyAdmin versions 3.x before 3.3.7
+
+ Fix: Upgrade to phpMyAdmin version 3.3.7 or later,
+ For updates refer, http://www.phpmyadmin.net/home_page/downloads.php
+
+ References:
+ http://secunia.com/advisories/41210
+ http://xforce.iss.net/xforce/xfdb/61675
+ http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php ";
+
+ script_description(desc);
+ script_summary("Check for the version of phpMyAdmin");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("secpod_phpmyadmin_detect_900129.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get phpMyAdmin Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check for phpMyAdmin version 3.x before 3.3.7
+if(ver = get_version_from_kb(port:port,app:"phpMyAdmin"))
+{
+ if(version_in_range(version: ver, test_version:"3.0", test_version2:"3.3.6")){
+ security_warning(port:port);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,94 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_smartertrack_mult_xss_vuln.nasl 10813 2010-09-14 11:13:29 sep $
+#
+# SmarterTools SmarterTrack Cross-Site Scripting Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801453);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2009-4994", "CVE-2009-4995");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("SmarterTools SmarterTrack Cross-Site Scripting Vulnerabilities");
+ desc = "
+ Overview: This host is running SmarterTools SmarterTrack and is prone
+ Cross-site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to the input passed to the 'search' parameter in
+ 'frmKBSearch.aspx' and email address to 'frmTickets.aspx' is not properly
+ sanitised before being returned to the user.
+
+ Impact:
+ Successful exploitation will let the attacker to execute arbitrary HTML and
+ script code in a user's browser session in context of an affected site.
+
+ Impact Level: Application.
+
+ Affected Software:
+ SmarterTools SmarterTrack version prior to 4.0.3504
+
+ Fix: Upgrade to SmarterTools SmarterTrack version 4.0.3504.
+ For updates refer, http://www.smartertools.com/smartertrack/help-desk-download.aspx
+
+ References:
+ http://secunia.com/advisories/36172
+ http://xforce.iss.net/xforce/xfdb/52305
+ http://holisticinfosec.org/content/view/123/45/ ";
+
+ script_description(desc);
+ script_summary("Check SmarterTools SmarterTrack is vulnerable to XSS attack");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+smartPort = "9996";
+if(!get_port_state(smartPort)){
+ exit(0);
+}
+
+## Send and receive response
+sndReq = string("GET /Main/Default.aspx HTTP/1.1", "\r\n",
+ "Host: ", get_host_name(), "\r\n\r\n");
+rcvRes = http_keepalive_send_recv(port:smartPort, data:sndReq);
+
+## Confirm the application is SmarterTools SmarterTrack
+if(">SmarterTrack" >< rcvRes )
+{
+ ## Try exploit and check response to confirm vulnerability
+ sndReq = string("GET /Main/frmKBSearch.aspx?search=%3Cscript%3Ealert(%22OpenVAS" +
+ "-XSS-Testing%22)%3C/script%3E HTTP/1.1", "\r\n",
+ "Host: ", get_host_name(), "\r\n\r\n");
+ rcvRes = http_send_recv(port:smartPort, data:sndReq);
+ if('<script>alert("OpenVAS-XSS-Testing")</script>' >< rcvRes){
+ security_warning(smartPort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Added: trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_wiccle_web_builder_xss_vuln.nasl 10966 2010-09-14 12:12:12Z sep $
+#
+# Wiccle Web Builder 'post_text' Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(801288);
+ script_version("$Revision$: 1.0");
+ script_cve_id("CVE-2010-3208");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Wiccle Web Builder 'post_text' Cross-Site Scripting Vulnerability");
+ desc = "
+ Overview: The host is running Wiccle Web Builder and is prone to Cross-Site
+ scripting vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused by improper validation of user-supplied input passed via
+ the 'post_text' parameter in a site 'custom_search' action to 'index.php',
+ that allows attackers to execute arbitrary HTML and script code on the web
+ server.
+
+ Impact:
+ Successful exploitation will let the attackers to execute arbitrary web
+ script or HTML in a user's browser session in the context of an affected
+ site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Wiccle Web Builder (WWB) Versions 1.00 and 1.0.1
+
+ Fix: No solution or patch is available as on 14th September, 2010. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.wiccle.com/page/download_wiccle
+
+ References:
+ http://secunia.com/advisories/41191
+ http://xforce.iss.net/xforce/xfdb/61466
+ http://www.packetstormsecurity.com/1008-exploits/wiccle-xss.txt ";
+
+ script_description(desc);
+ script_summary("Check if Wiccle Web Builder is vulnerable to Cross-Site Scripting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+foreach dir (make_list("/wwb", "/", cgi_dirs()))
+{
+ ## Send and Recieve the response
+ req = http_get(item:string(dir,"/index.php?module=site&show=home"), port:port);
+ res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+
+ ## Confirm the application
+ if("Powered by Wiccle - Wiccle Web Builder" >< res)
+ {
+ ## Construct the Attack Request
+ url = dir+ "/index.php?module=site&show=post_search&post_text=%3Cmarquee" +
+ "%3E%3Cfont%20color=red%20size=15%3EOpenVAS%20XSS%20Attack%3C/font" +
+ "%3E%3C/marquee%3E";
+
+ ## Try attack and check the response to confirm vulnerability.
+ if(http_vuln_check(port:port, url:url, pattern:"<b><marquee><font color=" +
+ "red size=15>OpenVAS XSS Attack</font></marquee>"))
+ {
+ security_warning(port);
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision
Modified: trunk/openvas-plugins/scripts/mantis_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/mantis_detect.nasl 2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/mantis_detect.nasl 2010-09-15 06:47:45 UTC (rev 9046)
@@ -1,12 +1,15 @@
###############################################################################
# OpenVAS Vulnerability Test
-# $Id$
+# $Id: mantis_detect.nasl 7517 2010-05-04 08:33:01Z chandra $
#
# Mantis Detection
#
# Authors:
# Michael Meyer
#
+# Updated By: Madhuri D <dmadhuri at secpod.com> on 2010-09-13
+# - To detect recent versions
+#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH
#
@@ -41,7 +44,7 @@
script_version ("1.0");
script_tag(name:"risk_factor", value:"None");
- script_name("Mantis Detection");
+ script_name("Mantis Detection");
script_description(desc);
script_summary("Checks for the presence of Mantis");
@@ -63,53 +66,55 @@
if(!get_port_state(port))exit(0);
if(!can_host_php(port:port)) exit(0);
-dirs = make_list("/mantis",cgi_dirs());
+dirs = make_list("/mantis", "/mantisbt", cgi_dirs());
foreach dir (dirs) {
- url = string(dir, "/login_page.php");
+ url = string(dir, "/login_page.php");
req = http_get(item:url, port:port);
- buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if( buf == NULL )continue;
- if(
+ if(
egrep(pattern: "Copyright © [0-9]{4} - [0-9]{4} Mantis Group", string: buf) ||
egrep(pattern: ".*Powered by Mantis Bugtracker.*", string: buf) ||
egrep(pattern: ".*Mantis Bugtracker", string: buf)
)
- {
+ {
if(strlen(dir)>0) {
install=dir;
} else {
install=string("/");
- }
-
+ }
+
vers = string("unknown");
- ### try to get version
-
+ ### try to get version
+
version = eregmatch(string: buf, pattern: ".*Mantis ([0-9]+\.+[0-9]*\.*[0-9]*[a-zA-Z0-9]*).*");
- if ( !isnull(version[1]) ) {
+ if (isnull(version[1])) {
+ version = eregmatch(string: buf, pattern:">MantisBT ([0-9.]+)");
vers=version[1];
- }
-
+ }
+ vers=version[1];
+
set_kb_item(name: string("www/", port, "/mantis"), value: string(vers," under ",install));
info = string("None\n\nMantis Version (");
info += string(vers);
info += string(") was detected on the remote host in the following directory(s):\n\n");
- info += string(install, "\n");
+ info += string(install, "\n");
desc = ereg_replace(
string:desc,
pattern:"None$",
replace:info
- );
-
+ );
+
if(report_verbosity > 0) {
security_note(port:port,data:desc);
- }
+ }
exit(0);
}
}
Property changes on: trunk/openvas-plugins/scripts/mantis_detect.nasl
___________________________________________________________________
Name: svn:keywords
- id
+ Revision
More information about the Openvas-commits
mailing list