[Openvas-commits] r9046 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Sep 15 08:47:50 CEST 2010


Author: chandra
Date: 2010-09-15 08:47:45 +0200 (Wed, 15 Sep 2010)
New Revision: 9046

Added:
   trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl
   trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl
   trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl
   trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/cpe.inc
   trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl
   trunk/openvas-plugins/scripts/mantis_detect.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/ChangeLog	2010-09-15 06:47:45 UTC (rev 9046)
@@ -1,3 +1,24 @@
+2010-09-15  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/gb_bugtracker_sql_inj_vuln.nasl,
+	scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl,
+	scripts/gb_smartertrack_mult_xss_vuln.nasl,
+	scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl,
+	scripts/gb_apple_safari_mult_vuln_sep10.nasl,
+	scripts/gb_mantis_xss_vuln.nasl,
+	scripts/gb_wiccle_web_builder_xss_vuln.nasl,
+	scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl,
+	scripts/gb_bugtracker_detect.nasl:
+	Added new plugins.
+
+	* scripts/cpe.inc:
+	Added new CPE.
+
+	* scripts/gb_phpmyadmin_42874.nasl: Added CVE.
+
+	* scripts/mantis_detect.nasl: Updated to detect
+	latest version.
+
 2010-09-14  Veerendra G.G <veerendragg at secpod.com>
 
 	* scripts/gb_fedora_2010_14529_libglpng_fc13.nasl,

Modified: trunk/openvas-plugins/scripts/cpe.inc
===================================================================
--- trunk/openvas-plugins/scripts/cpe.inc	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/cpe.inc	2010-09-15 06:47:45 UTC (rev 9046)
@@ -885,7 +885,8 @@
 "Adobe/Captivate/Ver", "^([0-9.]+)", "cpe:/a:adobe:captivate:",
 "IBM-DB2/Remote/ver", "^([0-9.]+)", "cpe:/a:ibm:db2:",
 "Google/Earth/Ver", "^([0-9.]+)", "cpe:/a:google:earth:",
-"www/*/Pecio_CMS", "^([0-9.]+)", "cpe:/a:pecio-cms:pecio_cms:"
+"www/*/Pecio_CMS", "^([0-9.]+)", "cpe:/a:pecio-cms:pecio_cms:",
+"www/*/btnet", "^([0-9.]+)", ""
 
 );
 

Added: trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,96 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_adobe_prdts_sing_bof_vuln_win.nasl 11050 2010-09-13 10:30:34Z sep $
+#
+# Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Win)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801515);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-2883");
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Win)");
+  desc = "
+  Overview: This host is installed with Adobe Reader/Acrobat and is prone to
+  buffer overflow vulnerability
+
+  Vulnerability Insight:
+  The flaw is caused due to a boundary error within 'CoolType.dll' when
+  processing the 'uniqueName' entry of SING tables in fonts.
+
+  Impact:
+  Successful exploitation will let attackers to crash an affected application or
+  execute arbitrary code by tricking a user into opening a specially crafted PDF
+  document.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Adobe Reader version 9.3.4 and prior.
+  Adobe Acrobat version 9.3.4 and prior on windows.
+
+  Fix: No solution or patch is available as on 13th Semtember, 2010. Information
+  regarding this issue will be updated once the solution details are available
+  For updates refer, http://www.adobe.com
+
+  References:
+  http://secunia.com/advisories/41340
+  http://www.adobe.com/support/security/advisories/apsa10-02.html
+  http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Adobe Reader/Acrobat");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_adobe_prdts_detect_win.nasl");
+  script_require_keys("Adobe/Acrobat/Win/Ver", "Adobe/Reader/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+readerVer = get_kb_item("Adobe/Reader/Win/Ver");
+if(!readerVer){
+  exit(0);
+}
+
+# Check for Adobe Reader version <= 9.3.4
+if(version_is_less(version:readerVer, test_version:"9.3.4"))
+{
+  security_hole(0);
+  exit(0);
+}
+
+acrobatVer = get_kb_item("Adobe/Acrobat/Win/Ver");
+if(!acrobatVer){
+  exit(0);
+}
+
+# Check for Adobe Acrobat version <= 9.3.4
+if(version_is_less_equal(version:acrobatVer, test_version:"9.3.4")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_adobe_prdts_sing_bof_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Added: trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_adobe_reader_sing_bof_vuln_lin.nasl 11050 2010-09-13 10:30:34Z sep $
+#
+# Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Linux)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801516);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-2883");
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Adobe Acrobat and Reader SING 'uniqueName' Buffer Overflow Vulnerability (Linux)");
+  desc = "
+  Overview: This host is installed with Adobe Reader and is prone to buffer
+  overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to a boundary error within 'CoolType.dll' when
+  processing the 'uniqueName' entry of SING tables in fonts.
+
+  Impact:
+  Successful exploitation will let attackers to crash an affected application or
+  execute arbitrary code by tricking a user into opening a specially crafted PDF
+  document.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Adobe Reader version 9.3.4 and prior.
+
+  Fix: No solution or patch is available as on 13th September, 2010. Information
+  regarding this issue will be updated once the solution details are available
+  For updates refer, http://www.adobe.com
+
+  References:
+  http://secunia.com/advisories/41340
+  http://www.adobe.com/support/security/advisories/apsa10-02.html
+  http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Adobe Reader/Acrobat");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("gb_adobe_prdts_detect_lin.nasl");
+  script_require_keys("Adobe/Reader/Linux/Version");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+readerVer = get_kb_item("Adobe/Reader/Linux/Version");
+if(!readerVer){
+  exit(0);
+}
+
+# Check for Adobe Reader version <= 9.3.4
+if(version_is_less(version:readerVer, test_version:"9.3.4")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_adobe_reader_sing_bof_vuln_lin.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Added: trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_safari_mult_vuln_sep10.nasl 11073 2010-09-12 15:28:53Z sep $
+#
+# Apple Safari Multiple Vulnerabilities - Sep10
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801514);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-1805", "CVE-2010-1806", "CVE-2010-1807");
+  script_bugtraq_id(43049, 43048, 43047);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Apple Safari Multiple Vulnerabilities - Sep10");
+  desc = "
+
+  Overview: The host is installed with Apple Safari web browser and is prone
+  to multiple vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - An use-after-free vulnerability in the application, which allows remote
+    attackers to execute arbitrary code via 'run-in' styling in an element,
+    related to object pointers.
+  - An untrusted search path vulnerability on Windows allows local users
+    to gain privileges via a Trojan horse 'explorer.exe'.
+  - An error exists in the handling of 'WebKit', which does not properly
+    validate floating-point data, which allows remote attackers to execute
+    arbitrary cod via a crafted HTML document.
+
+  Impact:
+  Successful exploitation allow attackers to execute arbitrary code or can
+  even crash the browser.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Apple Safari 5.x before 5.0.2 on Windows
+
+  Fix: Upgrade Apple Safari 5.0.2 or later,
+  For updates refer, http://www.apple.com/support/downloads/
+
+  References:
+  http://support.apple.com/kb/HT4333
+  http://lists.apple.com/archives/security-announce/2010//Sep/msg00001.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Apple Safari");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("secpod_apple_safari_detect_win_900003.nasl");
+  script_require_keys("AppleSafari/Version");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+safVer = get_kb_item("AppleSafari/Version");
+if(!safVer){
+  exit(0);
+}
+
+# Grep for Apple Safari Version 5.x < 5.0.2((5.33.18.5)
+if(version_in_range(version:safVer, test_version:"5.0", test_version2:"5.33.18.4")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_sep10.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Added: trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,78 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_bugtracker_detect.nasl 10932 2010-09-08 11:11:11Z sep $
+#
+# BugTracker.NET Version Detection
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801278);
+  script_version("$Revision$: 1.0");
+  script_tag(name:"risk_factor", value:"None");
+  script_name("BugTracker.NET Version Detection");
+  desc = "
+  Overview: The script detects the version of BugTracker.NET on remote host
+  and sets the KB. ";
+
+  script_description(desc);
+  script_summary("Check for BugTracker.NET version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+  script_family("Service detection");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get http port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+foreach dir (make_list("/btnet", "/bugtracker", "/", cgi_dirs()))
+{
+  ## Send and Recieve the response
+  sndReq = http_get(item:string(dir, "/about.html"), port:port);
+  rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:TRUE);
+
+  ## Confirm the application
+  if(">BugTracker.NET<" >< rcvRes)
+  {
+    ## Get BugTracker.NET Version
+    ver = eregmatch(pattern:'Version ([0-9.]+)', string:rcvRes);
+    if(ver[1])
+    {
+      ## Set the KB value
+      ## BugTracker.NET 3.4.4 showing its version as 3.4.3
+      set_kb_item(name:"www/" + port + "/btnet", value:ver[1] +" under "+ dir);
+      security_note(data:"BugTracker.NET Version " + ver[1] +
+                         " running at location "  + dir +
+                         " was detected on the host", port:port);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_bugtracker_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Added: trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_bugtracker_sql_inj_vuln.nasl 10932 2010-09-08 11:11:11Z sep $
+#
+# BugTracker.NET 'search.aspx' SQL Injection Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801279);
+  script_version("$Revision$: 1.0");
+  script_bugtraq_id(42784);
+  script_cve_id("CVE-2010-3188");
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("BugTracker.NET 'search.aspx' SQL Injection Vulnerability");
+  desc = "
+  Overview: The host is running BugTracker.NET and is prone to SQL injection
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by improper validation of user-supplied input via the
+  custom field parameters to 'search.aspx' that allows attacker to manipulate
+  SQL queries by injecting arbitrary SQL code.
+
+  Impact:
+  Successful exploitation will let the attacker to cause SQL Injection attack
+  and gain sensitive information.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  BugTracker.NET version 3.4.3 and prior.
+
+  Fix: Upgrade to BugTracker.NET version 3.4.4 or later,
+  For updates refer, http://www.ifdefined.com/bugtrackernet_download.html
+
+  References:
+  http://secunia.com/advisories/41150
+  http://xforce.iss.net/xforce/xfdb/61434
+  http://www.securityfocus.com/archive/1/archive/1/513385/100/0/threaded
+  http://sourceforge.net/projects/btnet/files/btnet_3_4_4_release_notes.txt/view
+  ";
+
+  script_description(desc);
+  script_summary("Check for the version of BugTracker.NET");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("gb_bugtracker_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get BugTracker Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check for BugTracker.NET version prior to 3.4.3
+if(ver = get_version_from_kb(port:port,app:"btnet"))
+{
+  if(version_is_less(version:ver, test_version: "3.4.3")){
+      security_hole(port:port);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_bugtracker_sql_inj_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Added: trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,90 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mantis_xss_vuln.nasl 10996 2010-09-10 13:30:29 Sep $
+#
+# MantisBT Cross-site scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801449);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-2802");
+  script_tag(name:"cvss_base", value:"3.5");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("MantisBT Cross-site scripting Vulnerability");
+  desc = "
+  Overview: This host is running MantisBT and is prone to Cross-site scripting
+  Vulnerability.
+
+  Vulnerability Insight:
+  The application allows remote authenticated users to inject arbitrary web
+  script or HTML via an HTML document with a '.gif' filename extension,
+  related to inline attachments.
+
+  Impact:
+  Successful exploitation will allow attackers to conduct cross-site scripting
+  attacks.
+
+  Impact Level: Application.
+
+  Affected Software:
+  MantisBT version prior to 1.2.2
+
+  Fix: Upgrade to MantisBT version 1.2.2 or later
+  For updates refer, http://www.mantisbt.org/download.php
+
+  References:
+  http://www.mantisbt.org/blog/?p=113
+  http://www.openwall.com/lists/oss-security/2010/08/03/7
+  http://www.openwall.com/lists/oss-security/2010/08/02/16 ";
+
+  script_description(desc);
+  script_summary("Check for the version of MantisBT");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
+  script_dependencies("mantis_detect.nasl");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+mantisPort = get_http_port(default:80);
+if(!get_port_state(mantisPort)){
+  exit(0);
+}
+
+## GET the version from KB
+mantisVer = get_version_from_kb(port:mantisPort,app:"mantis");
+
+if(mantisVer != NULL)
+{
+  ## Check for the  MantisBT version
+  if(version_is_less(version:mantisVer, test_version:"1.2.2")){
+    security_warning(mantisPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_mantis_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Modified: trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -1,6 +1,6 @@
 ###############################################################################
 # OpenVAS Vulnerability Test
-# $Id$
+# $Id: gb_phpmyadmin_42874.nasl 8943 2010-09-02 14:10:00Z mime $
 #
 # phpMyAdmin Debug Backtrace Cross Site Scripting Vulnerability
 #
@@ -28,6 +28,8 @@
 {
  script_id(100775);
  script_bugtraq_id(42874);
+ script_cve_id("CVE-2010-2958");
+ script_tag(name:"cvss_base", value:"4.3");
  script_version ("1.0-$Revision$");
 
  script_name("phpMyAdmin Debug Backtrace Cross Site Scripting Vulnerability");


Property changes on: trunk/openvas-plugins/scripts/gb_phpmyadmin_42874.nasl
___________________________________________________________________
Name: svn:keywords
   - Id Revision
   + Revision

Added: trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_phpmyadmin_setup_script_xss_vuln.nasl 11075 2010-09-14 12:40:45Z sep $
+#
+# phpMyAdmin Setup Script Request Cross Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801286);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-3263");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("phpMyAdmin Setup Script Request Cross Site Scripting Vulnerability");
+  desc = "
+  Overview: The host is running phpMyAdmin and is prone to Cross-Site Scripting
+  Vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by an unspecified input validation error when processing
+  spoofed requests sent to setup script, which could be exploited by attackers
+  to cause arbitrary scripting code to be executed on the user's browser session
+  in the security context of an affected site.
+
+  Impact:
+  Successful exploitation will let the attackers to execute arbitrary web
+  script or HTML in a user's browser session in the context of an affected
+  site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  phpMyAdmin versions 3.x before 3.3.7
+
+  Fix: Upgrade to phpMyAdmin version 3.3.7 or later,
+  For updates refer, http://www.phpmyadmin.net/home_page/downloads.php
+
+  References:
+  http://secunia.com/advisories/41210
+  http://xforce.iss.net/xforce/xfdb/61675
+  http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php ";
+
+  script_description(desc);
+  script_summary("Check for the version of phpMyAdmin");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("secpod_phpmyadmin_detect_900129.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get phpMyAdmin Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check for phpMyAdmin version 3.x before 3.3.7
+if(ver = get_version_from_kb(port:port,app:"phpMyAdmin"))
+{
+  if(version_in_range(version: ver, test_version:"3.0", test_version2:"3.3.6")){
+    security_warning(port:port);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_phpmyadmin_setup_script_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Added: trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,94 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_smartertrack_mult_xss_vuln.nasl 10813 2010-09-14 11:13:29 sep $
+#
+# SmarterTools SmarterTrack Cross-Site Scripting Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801453);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2009-4994", "CVE-2009-4995");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("SmarterTools SmarterTrack Cross-Site Scripting Vulnerabilities");
+  desc = "
+  Overview: This host is running SmarterTools SmarterTrack and is prone
+  Cross-site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to the input passed to the 'search' parameter in
+  'frmKBSearch.aspx' and email address to 'frmTickets.aspx' is not properly
+  sanitised before being returned to the user.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary HTML and
+  script code in a user's browser session in context of an affected site.
+
+  Impact Level: Application.
+
+  Affected Software:
+  SmarterTools SmarterTrack version prior to 4.0.3504
+
+  Fix: Upgrade to SmarterTools SmarterTrack version 4.0.3504.
+  For updates refer, http://www.smartertools.com/smartertrack/help-desk-download.aspx
+
+  References:
+  http://secunia.com/advisories/36172
+  http://xforce.iss.net/xforce/xfdb/52305
+  http://holisticinfosec.org/content/view/123/45/ ";
+
+  script_description(desc);
+  script_summary("Check SmarterTools SmarterTrack is vulnerable to XSS attack");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+smartPort = "9996";
+if(!get_port_state(smartPort)){
+  exit(0);
+}
+
+## Send and receive response
+sndReq = string("GET /Main/Default.aspx HTTP/1.1", "\r\n",
+                    "Host: ", get_host_name(), "\r\n\r\n");
+rcvRes = http_keepalive_send_recv(port:smartPort, data:sndReq);
+
+## Confirm the application is SmarterTools SmarterTrack
+if(">SmarterTrack" >< rcvRes )
+{
+  ## Try exploit and check response to confirm vulnerability
+  sndReq = string("GET /Main/frmKBSearch.aspx?search=%3Cscript%3Ealert(%22OpenVAS" +
+                         "-XSS-Testing%22)%3C/script%3E HTTP/1.1", "\r\n",
+                          "Host: ", get_host_name(), "\r\n\r\n");
+  rcvRes = http_send_recv(port:smartPort, data:sndReq);
+  if('<script>alert("OpenVAS-XSS-Testing")</script>' >< rcvRes){
+    security_warning(smartPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_smartertrack_mult_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Added: trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_wiccle_web_builder_xss_vuln.nasl 10966 2010-09-14 12:12:12Z sep $
+#
+# Wiccle Web Builder 'post_text' Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801288);
+  script_version("$Revision$: 1.0");
+  script_cve_id("CVE-2010-3208");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Wiccle Web Builder 'post_text' Cross-Site Scripting Vulnerability");
+  desc = "
+  Overview: The host is running Wiccle Web Builder and is prone to Cross-Site
+  scripting vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by improper validation of user-supplied input passed via
+  the 'post_text' parameter in a site 'custom_search' action to 'index.php',
+  that allows attackers to execute arbitrary HTML and script code on the web
+  server.
+
+  Impact:
+  Successful exploitation will let the attackers to execute arbitrary web
+  script or HTML in a user's browser session in the context of an affected
+  site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Wiccle Web Builder (WWB) Versions 1.00 and 1.0.1
+
+  Fix: No solution or patch is available as on 14th September, 2010. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.wiccle.com/page/download_wiccle
+
+  References:
+  http://secunia.com/advisories/41191
+  http://xforce.iss.net/xforce/xfdb/61466
+  http://www.packetstormsecurity.com/1008-exploits/wiccle-xss.txt ";
+
+  script_description(desc);
+  script_summary("Check if Wiccle Web Builder is vulnerable to Cross-Site Scripting");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2010 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+foreach dir (make_list("/wwb", "/", cgi_dirs()))
+{
+  ## Send and Recieve the response
+  req = http_get(item:string(dir,"/index.php?module=site&show=home"), port:port);
+  res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+
+  ## Confirm the application
+  if("Powered by Wiccle - Wiccle Web Builder" >< res)
+  {
+    ## Construct the Attack Request
+    url = dir+ "/index.php?module=site&show=post_search&post_text=%3Cmarquee" +
+          "%3E%3Cfont%20color=red%20size=15%3EOpenVAS%20XSS%20Attack%3C/font" +
+          "%3E%3C/marquee%3E";
+
+    ## Try attack and check the response to confirm vulnerability.
+    if(http_vuln_check(port:port, url:url, pattern:"<b><marquee><font color=" +
+                       "red size=15>OpenVAS XSS Attack</font></marquee>"))
+    {
+      security_warning(port);
+      exit(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_wiccle_web_builder_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision

Modified: trunk/openvas-plugins/scripts/mantis_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/mantis_detect.nasl	2010-09-14 21:39:29 UTC (rev 9045)
+++ trunk/openvas-plugins/scripts/mantis_detect.nasl	2010-09-15 06:47:45 UTC (rev 9046)
@@ -1,12 +1,15 @@
 ###############################################################################
 # OpenVAS Vulnerability Test
-# $Id$
+# $Id: mantis_detect.nasl 7517 2010-05-04 08:33:01Z chandra $
 #
 # Mantis Detection
 #
 # Authors:
 # Michael Meyer
 #
+# Updated By: Madhuri D <dmadhuri at secpod.com> on 2010-09-13
+#    - To detect recent versions
+#
 # Copyright:
 # Copyright (c) 2009 Greenbone Networks GmbH
 #
@@ -41,7 +44,7 @@
  script_version ("1.0");
  script_tag(name:"risk_factor", value:"None");
 
- script_name("Mantis Detection");  
+ script_name("Mantis Detection");
 
  script_description(desc);
  script_summary("Checks for the presence of Mantis");
@@ -63,53 +66,55 @@
 if(!get_port_state(port))exit(0);
 if(!can_host_php(port:port)) exit(0);
 
-dirs = make_list("/mantis",cgi_dirs());
+dirs = make_list("/mantis", "/mantisbt", cgi_dirs());
 
 foreach dir (dirs) {
 
- url = string(dir, "/login_page.php"); 
+ url = string(dir, "/login_page.php");
  req = http_get(item:url, port:port);
- buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);  
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
  if( buf == NULL )continue;
 
- if( 
+ if(
     egrep(pattern: "Copyright &copy; [0-9]{4} - [0-9]{4} Mantis Group", string: buf)   ||
     egrep(pattern: ".*Powered by Mantis Bugtracker.*", string: buf) ||
     egrep(pattern: ".*Mantis Bugtracker", string: buf)
    )
- { 
+ {
      if(strlen(dir)>0) {
         install=dir;
      } else {
         install=string("/");
-     }  
-    
+     }
+
     vers = string("unknown");
 
-    ### try to get version 
-      
+    ### try to get version
+
       version = eregmatch(string: buf, pattern: ".*Mantis ([0-9]+\.+[0-9]*\.*[0-9]*[a-zA-Z0-9]*).*");
 
-      if ( !isnull(version[1]) ) {
+      if (isnull(version[1])) {
+        version = eregmatch(string: buf, pattern:">MantisBT ([0-9.]+)");
         vers=version[1];
-      }  
-    
+      }
+      vers=version[1];
+
     set_kb_item(name: string("www/", port, "/mantis"), value: string(vers," under ",install));
 
     info = string("None\n\nMantis Version (");
     info += string(vers);
     info += string(") was detected on the remote host in the following directory(s):\n\n");
-    info += string(install, "\n"); 
+    info += string(install, "\n");
 
     desc = ereg_replace(
         string:desc,
         pattern:"None$",
         replace:info
-    );    
-       
+    );
+
        if(report_verbosity > 0) {
          security_note(port:port,data:desc);
-       }	 
+       }
        exit(0);
   }
 }


Property changes on: trunk/openvas-plugins/scripts/mantis_detect.nasl
___________________________________________________________________
Name: svn:keywords
   - id
   + Revision



More information about the Openvas-commits mailing list