[Openvas-commits] r11445 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Aug 12 14:44:54 CEST 2011
Author: veerendragg
Date: 2011-08-12 14:44:50 +0200 (Fri, 12 Aug 2011)
New Revision: 11445
Added:
trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_apr11_macosx.nasl
trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_july11_macosx.nasl
trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_mar11_macosx.nasl
trunk/openvas-plugins/scripts/gb_cfingerd_search_cmd_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/gb_finger_remote_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/gb_mozilla_firefox_mult_vuln_win_aug11.nasl
trunk/openvas-plugins/scripts/gb_wordpress_media_library_categories_plugin_sql_inj_vuln.nasl
trunk/openvas-plugins/scripts/gb_wordpress_wpecommerce_plugin_xss_vuln.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/secpod_freefloat_post_auth_mult_cmd_bof_vuln.nasl
trunk/openvas-plugins/scripts/secpod_ms11-025.nasl
trunk/openvas-plugins/scripts/secpod_ms11-043.nasl
trunk/openvas-plugins/scripts/smtp_relay2.nasl
Log:
Added new plugins.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/ChangeLog 2011-08-12 12:44:50 UTC (rev 11445)
@@ -1,3 +1,19 @@
+2011-08-12 Veerendra G.G <veerendragg at secpod.com>
+
+ * scripts/secpod_ms11-043.nasl,
+ scripts/smtp_relay2.nasl,
+ scripts/gb_finger_remote_info_disc_vuln.nasl,
+ scripts/gb_wordpress_wpecommerce_plugin_xss_vuln.nasl,
+ scripts/gb_apple_safari_mult_vuln_july11_macosx.nasl,
+ scripts/gb_wordpress_media_library_categories_plugin_sql_inj_vuln.nasl,
+ scripts/gb_cfingerd_search_cmd_info_disc_vuln.nasl,
+ scripts/gb_apple_safari_mult_vuln_mar11_macosx.nasl,
+ scripts/secpod_freefloat_post_auth_mult_cmd_bof_vuln.nasl,
+ scripts/secpod_ms11-025.nasl,
+ scripts/gb_apple_safari_mult_vuln_apr11_macosx.nasl,
+ scripts/gb_mozilla_firefox_mult_vuln_win_aug11.nasl:
+ Added new plugins.
+
2011-08-12 Michael Meyer <michael.meyer at greenbone.net>
* scripts/gb_ntp_sec_bypass_vuln.nasl,
Added: trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_apr11_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_apr11_macosx.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_apr11_macosx.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_safari_mult_vuln_apr11_macosx.nasl 16498 2011-08-09 12:12:12Z aug $
+#
+# Apple Safari Multiple Vulnerabilities - April 2011 (Mac OS X)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802234);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-1290", "CVE-2011-1344");
+ script_bugtraq_id(46822, 46849);
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Apple Safari Multiple Vulnerabilities - April 2011 (Mac OS X)");
+ desc = "
+ Overview: The host is installed with Apple Safari web browser and is prone
+ to multiple vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are caused due to,
+ - An integer overflow error in WebKit related to CSS 'style handling',
+ nodesets, and a length value.
+ - A use-after-free error within WebKit when handling WBR tags.
+
+ Impact:
+ Successful exploitation will allow attackers to execute arbitrary code in
+ the context of the browser.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Apple Safari versions prior to 5.0.5
+
+ Fix: Upgrade to Apple Safari version 5.0.5 or later,
+ For updates refer, http://www.apple.com/safari/download/
+
+ References:
+ http://support.apple.com/kb/HT4596
+ http://lists.apple.com/archives/security-announce/2011/Apr/msg00002.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Apple Safari");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("General");
+ script_dependencies("macosx_safari_detect.nasl");
+ script_require_keys("AppleSafari/MacOSX/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+safVer = get_kb_item("AppleSafari/MacOSX/Version");
+if(!safVer){
+ exit(0);
+}
+
+## Grep for Apple Safari Versions prior to 5.0.5
+if(version_is_less(version:safVer, test_version:"5.0.5")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_july11_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_july11_macosx.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_july11_macosx.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_safari_mult_vuln_july11_macosx.nasl 16504 2011-08-08 16:32:16Z aug $
+#
+# Apple Safari Multiple Vulnerabilities - July 2011 (Mac OS X)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802233);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2010-1383", "CVE-2010-1420", "CVE-2011-0214", "CVE-2011-0215",
+ "CVE-2011-0216", "CVE-2011-0217", "CVE-2011-0218", "CVE-2011-0219",
+ "CVE-2011-0221", "CVE-2011-0222", "CVE-2011-0223", "CVE-2011-0225",
+ "CVE-2011-0232", "CVE-2011-0233", "CVE-2011-0234", "CVE-2011-0235",
+ "CVE-2011-0237", "CVE-2011-0238", "CVE-2011-0240", "CVE-2011-0241",
+ "CVE-2011-0242", "CVE-2011-0244", "CVE-2011-0253", "CVE-2011-0254",
+ "CVE-2011-0255", "CVE-2011-1288", "CVE-2011-1453", "CVE-2011-1457",
+ "CVE-2011-1462", "CVE-2011-1774", "CVE-2011-1797");
+ script_bugtraq_id(48820, 48823, 48825, 48827, 48828, 48831, 48832, 48833, 48837,
+ 48839, 48840, 48841, 48842, 48843, 48844, 48845, 48846, 48847,
+ 48848, 48849, 48850, 48851, 48852, 48853, 48854, 48855, 48856,
+ 48857, 48858, 48859);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Apple Safari Multiple Vulnerabilities - July 2011 (Mac OS X)");
+ desc = "
+ Overview: The host is installed with Apple Safari web browser and is prone
+ to multiple vulnerabilities.
+
+ Vulnerability Insight:
+ For more details about the vulnerabilities refer the reference section.
+
+ Impact:
+ Successful exploitation may result in information disclosure, remote code
+ execution, denial of service, or other consequences.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Apple Safari versions prior to 5.0.6/5.1
+
+ Fix: Upgrade to Apple Safari version 5.0.6/5.1 or later,
+ For updates refer, http://www.apple.com/safari/download/
+
+ References:
+ http://support.apple.com/kb/HT4808
+ http://lists.apple.com/archives/security-announce/2011//Jul/msg00002.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Apple Safari");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("General");
+ script_dependencies("macosx_safari_detect.nasl");
+ script_require_keys("AppleSafari/MacOSX/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+safVer = get_kb_item("AppleSafari/MacOSX/Version");
+if(!safVer){
+ exit(0);
+}
+
+## Grep for Apple Safari Versions prior to 5.0.6
+if(version_is_less(version:safVer, test_version:"5.0.6")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_mar11_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_mar11_macosx.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_apple_safari_mult_vuln_mar11_macosx.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_safari_mult_vuln_mar11_macosx.nasl 16499 2011-08-09 14:14:14Z aug $
+#
+# Apple Safari Multiple Vulnerabilities - March 2011 (Mac OS X)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802235);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2010-1824", "CVE-2010-4008", "CVE-2010-4494", "CVE-2011-0111",
+ "CVE-2011-0112", "CVE-2011-0113", "CVE-2011-0114", "CVE-2011-0115",
+ "CVE-2011-0116", "CVE-2011-0117", "CVE-2011-0118", "CVE-2011-0119",
+ "CVE-2011-0120", "CVE-2011-0121", "CVE-2011-0122", "CVE-2011-0123",
+ "CVE-2011-0124", "CVE-2011-0125", "CVE-2011-0126", "CVE-2011-0127",
+ "CVE-2011-0128", "CVE-2011-0129", "CVE-2011-0130", "CVE-2011-0131",
+ "CVE-2011-0132", "CVE-2011-0133", "CVE-2011-0134", "CVE-2011-0135",
+ "CVE-2011-0136", "CVE-2011-0137", "CVE-2011-0138", "CVE-2011-0139",
+ "CVE-2011-0140", "CVE-2011-0141", "CVE-2011-0142", "CVE-2011-0143",
+ "CVE-2011-0144", "CVE-2011-0145", "CVE-2011-0146", "CVE-2011-0147",
+ "CVE-2011-0148", "CVE-2011-0149", "CVE-2011-0150", "CVE-2011-0151",
+ "CVE-2011-0152", "CVE-2011-0153", "CVE-2011-0154", "CVE-2011-0155",
+ "CVE-2011-0156", "CVE-2011-0160", "CVE-2011-0161", "CVE-2011-0163",
+ "CVE-2011-0165", "CVE-2011-0166", "CVE-2011-0167", "CVE-2011-0168",
+ "CVE-2011-0169");
+ script_bugtraq_id(44779, 46677, 46684, 46686, 46687, 46688, 46689, 46690, 46691,
+ 46692, 46693, 46694, 46695, 46696, 46698, 46699, 46700, 46701,
+ 46702, 46704, 46705, 46706, 46707, 46708, 46709, 46710, 46711,
+ 46712, 46713, 46714, 46715, 46716, 46717, 46718, 46719, 46720,
+ 46721, 46722, 46723, 46724, 46725, 46726, 46727, 46728, 46744,
+ 46745, 46746, 46747, 46748, 46749, 46808, 46809, 46811, 46814,
+ 46816);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Apple Safari Multiple Vulnerabilities - March 2011 (Mac OS X)");
+ desc = "
+ Overview: The host is installed with Apple Safari web browser and is prone
+ to multiple vulnerabilities.
+
+ Vulnerability Insight:
+ For more details about the vulnerabilities refer the reference section.
+
+ Impact:
+ Successful exploitation will let the attacker to disclose potentially
+ sensitive information, conduct cross-site scripting and spoofing attacks,
+ and compromise a user's system.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Apple Safari versions prior to 5.0.4
+
+ Fix: Upgrade to Apple Safari version 5.0.4 or later,
+ For updates refer, http://www.apple.com/safari/download/
+
+ References:
+ http://support.apple.com/kb/HT4566
+ http://secunia.com/advisories/43696
+ http://lists.apple.com/archives/security-announce/2011/mar/msg00004.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Apple Safari");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("General");
+ script_dependencies("macosx_safari_detect.nasl");
+ script_require_keys("AppleSafari/MacOSX/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+safVer = get_kb_item("AppleSafari/MacOSX/Version");
+if(!safVer){
+ exit(0);
+}
+
+## Grep for Apple Safari Versions prior to 5.0.4
+if(version_is_less(version:safVer, test_version:"5.0.4")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/gb_cfingerd_search_cmd_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cfingerd_search_cmd_info_disc_vuln.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_cfingerd_search_cmd_info_disc_vuln.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cfingerd_search_cmd_info_disc_vuln.nasl 16473 2011-08-12 12:20:11Z aug $
+#
+# Cfingerd 'search' Command Information Disclosure Vulnerability
+#
+# Authorsd
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802323);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-1999-0259");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Cfingerd 'search' Command Information Disclosure Vulnerability");
+ desc = "
+ Overview: This host is running Cfingerd service and is prone to information
+ disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw exists due to an error in the finger service which allows to list
+ all usernames on the host via 'search.**' command.
+
+ Impact:
+ Successful exploitation will let the attacker to obtain sensitive information
+ that could aid in further attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Cfingerd version 1.2.2
+
+ Fix: Upgrade to Cfingerd version 1.2.3 or later
+ For updates refer, http://www.infodrom.org/projects/cfingerd/finger.php
+
+ References:
+ http://osvdb.org/show/osvdb/32
+ http://xforce.iss.net/xforce/xfdb/1811
+ http://archives.neohapsis.com/archives/bugtraq/1997_2/0328.html ";
+
+ script_description(desc);
+ script_summary("Determine if Cfinger is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Finger abuses");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/finger", 79);
+ exit(0);
+}
+
+
+## Get Finger Port
+port = get_kb_item("Services/finger");
+if(!port){
+ port = 79;
+}
+
+## Check Port Status
+if(! get_port_state(port)){
+ exit(0);
+}
+
+## Open TCP Socket
+soc = open_sock_tcp(port);
+if(! soc){
+ exit(0);
+}
+
+## Confirm Finger
+banner = recv(socket:soc, length:2048, timeout:5);
+if(banner) {
+ exit(0);
+}
+
+## Send And Receive The Response
+send(socket: soc, data: string("search.**\r\n"));
+fingRes = recv(socket:soc, length:2048);
+close(soc);
+
+## Confirm Vulnerability
+if("Finger" >< fingRes && "Username" >< fingRes && "root" >< fingRes){
+ security_warning(port);
+}
Added: trunk/openvas-plugins/scripts/gb_finger_remote_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_finger_remote_info_disc_vuln.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_finger_remote_info_disc_vuln.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_finger_remote_info_disc_vuln.nasl 16467 2011-08-11 11:11:11Z aug $
+#
+# Finger Service Remote Information Disclosure Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802236);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-1999-0612");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Finger Service Remote Information Disclosure Vulnerability");
+ desc = "
+ Overview: This host is running Finger service and is prone to information
+ disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw exists due to finger service exposes valid user information to any
+ entity on the network.
+
+ Impact:
+ Successful exploitation will let the attacker to obtain sensitive information
+ that could aid in further attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ GNU Finger.
+
+ Fix: Disable finger service, or install a finger service or daemon that
+ limits the type of information provided.
+
+ References:
+ http://osvdb.org/show/osvdb/11451
+ http://xforce.iss.net/xforce/xfdb/46
+ http://www.iss.net/security_center/reference/vuln/finger-running.htm ";
+
+ script_description(desc);
+ script_summary("Determine if Finger is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Finger abuses");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/finger", 79);
+ exit(0);
+}
+
+
+## Get Finger Port
+port = get_kb_item("Services/finger");
+if(!port){
+ port = 79;
+}
+
+## Check Port Status
+if(! get_port_state(port)){
+ exit(0);
+}
+
+## Open TCP Socket
+soc = open_sock_tcp(port);
+if(! soc){
+ exit(0);
+}
+
+## Confirm Finger
+banner = recv(socket:soc, length:2048, timeout:5);
+if(banner) {
+ exit(0);
+}
+
+## Send And Receive The Response
+send(socket: soc, data: string("root\r\n"));
+res = recv(socket:soc, length:2048);
+close(soc);
+
+## Confirm Vulnerability
+if("Login" >< res || "User" >< res || "logged" >< res){
+ security_warning(port);
+}
Added: trunk/openvas-plugins/scripts/gb_mozilla_firefox_mult_vuln_win_aug11.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mozilla_firefox_mult_vuln_win_aug11.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_mozilla_firefox_mult_vuln_win_aug11.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mozilla_firefox_mult_vuln_win_aug11.nasl 16645 2011-08-11 17:11:11Z aug $
+#
+# Mozilla Firefox Multiple Vulnerabilities August-11 (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802138);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2008-7293");
+ script_tag(name:"cvss_base", value:"5.8");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Mozilla Firefox Multiple Vulnerabilities August-11 (Windows)");
+ desc = "
+ Overview:
+ The host is installed with Mozilla Firefox and is prone to multiple
+ vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are caused due to, not properly restricting modifications to
+ cookies established in HTTPS sessions.
+
+ Impact:
+ Successful exploitation allows remote attackers to overwrite or delete
+ arbitrary cookies via a Set-Cookie header in an HTTP response, which results
+ into cross site scripting, cross site request forgery and denial of service
+ attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Mozilla Firefox versions before 4.0
+
+ Fix:
+ Upgrade to Firefox version 4.0 or later
+ http://www.mozilla.com/en-US/firefox/all.html
+
+ References:
+ http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html
+ http://scarybeastsecurity.blogspot.com/2011/02/some-less-obvious-benefits-of-hsts.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Mozilla Firefox");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("General");
+ script_dependencies("gb_firefox_detect_win.nasl");
+ script_require_keys("Firefox/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+ ## Grep for Firefox versions before 4.0
+ if(version_is_less(version:ffVer, test_version:"4.0")){
+ security_hole(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_mozilla_firefox_mult_vuln_win_aug11.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_wordpress_media_library_categories_plugin_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wordpress_media_library_categories_plugin_sql_inj_vuln.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_wordpress_media_library_categories_plugin_sql_inj_vuln.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_wordpress_media_library_categories_plugin_sql_inj_vuln.nasl 16589 2011-08-11 14:15:15Z aug $
+#
+# WordPress Media Library Categories Plugin 'termid' Parameter SQL Injection Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802322);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(49062);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("WordPress Media Library Categories Plugin 'termid' Parameter SQL Injection Vulnerability");
+ desc = "
+ Overview: This host is installed with WordPress Media Library Categories
+ plugin and is prone to sql injection vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to improper validation of user-supplied input passed
+ via the 'termid' parameter to '/wp-content/plugins/media-library-categories
+ /sort.php', which allows attackers to manipulate SQL queries by injecting
+ arbitrary SQL code.
+
+ Impact:
+ Successful exploitation will let the attacker to perform SQL Injection attack
+ and gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ WordPress Media Library Categories plugin version 1.0.6 and prior.
+
+ Fix: Upgrade to WordPress Media Library Categories plugin version 1.0.7 or later
+ For updates refer, http://wordpress.org/extend/plugins/media-library-categories/
+
+ References:
+ http://osvdb.org/74381
+ http://secunia.com/advisories/45534
+ http://www.exploit-db.com/exploits/17628/
+ http://packetstormsecurity.org/files/view/103756/medialibrarycategories-sql.txt ";
+
+ script_description(desc);
+ script_summary("Check if WordPress Media Library Categories plugin is vulnerable to SQL Injection");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("secpod_wordpress_detect_900182.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+ exit(0);
+}
+
+## Get WordPress Installed Location
+if(!dir = get_dir_from_kb(port:port, app:"WordPress")){
+ exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/wp-content/plugins/media-library-categories/sort.php?termid=-1" +
+ "%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a65637" +
+ "4696f6e2d54657374,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL," +
+ "NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL," +
+ "NULL,NULL--";
+
+## Try attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:port, url:url, pattern:"OpenVAS-SQL-Injection-Test")){
+ security_hole(port);
+}
Added: trunk/openvas-plugins/scripts/gb_wordpress_wpecommerce_plugin_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wordpress_wpecommerce_plugin_xss_vuln.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/gb_wordpress_wpecommerce_plugin_xss_vuln.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_wordpress_wpecommerce_plugin_xss_vuln.nasl 16570 2011-08-11 11:15:15Z aug $
+#
+# WordPress WP e-Commerce Plugin 'cart_messages' Parameter Cross-site Scripting Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802321);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(49009);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("WordPress WP e-Commerce Plugin 'cart_messages' Parameter Cross-site Scripting Vulnerability");
+ desc = "
+ Overview: This host is installed with WordPress WP e-Commerce plugin and is
+ prone to cross-site scripting vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to improper validation of user-supplied input passed
+ via the 'cart_messages[]' parameter to '/wp-content/plugins/wp-e-commerce
+ /wpsc-theme/wpsc-cart_widget.php', which allows attacker to execute
+ arbitrary HTML and script code on the user's browser session in the security
+ context of an affected site.
+
+ Impact:
+ Successful exploitation will let the attacker to insert arbitrary HTML and
+ script code, which will be executed in a user's browser session in the
+ context of an affected site when the malicious data is being viewed.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ WordPress WP e-Commerce Plugin version 3.8.6 and prior.
+
+ Fix: No solution or patch is available as on 11th August, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://wordpress.org/extend/plugins/wp-e-commerce/
+
+ References:
+ http://secunia.com/advisories/45513/
+ http://www.securityfocus.com/archive/1/519149
+ http://www.htbridge.ch/advisory/xss_in_wp_e_commerce.html
+ http://packetstormsecurity.org/files/view/103724/wpecommerce-xss.txt ";
+
+ script_description(desc);
+ script_summary("Check if WordPress WP e-Commerce plugin is vulnerable to Cross-Site Scripting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("secpod_wordpress_detect_900182.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+ exit(0);
+}
+
+## Get WordPress Installed Location
+if(!dir = get_dir_from_kb(port:port, app:"WordPress")){
+ exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/wp-content/plugins/wp-e-commerce/wpsc-theme/wpsc-cart_widget.php?" +
+ "cart_messages[]=<script>alert(document.cookie);</script>";
+
+## Try attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:port, url:url,
+ pattern:"<script>alert\(document.cookie\);</script>")){
+ security_warning(port);
+}
Modified: trunk/openvas-plugins/scripts/secpod_freefloat_post_auth_mult_cmd_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_freefloat_post_auth_mult_cmd_bof_vuln.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/secpod_freefloat_post_auth_mult_cmd_bof_vuln.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -7,6 +7,9 @@
# Authors:
# Veerendra G.G <veerendragg at secpod.com>
#
+# Updated By : Veerendra G.G <veerendragg at secpod.com> on 2011-08-09
+# Updated Reference section and code to handle other vulnerable commands.
+#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
@@ -27,7 +30,7 @@
if(description)
{
script_id(900292);
- script_version("$Revision$: 1.0");
+ script_version("$Revision$: 1.1");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"risk_factor", value:"High");
script_name("Freefloat FTP Server POST Auth Multiple Commands Buffer Overflow Vulnerabilities");
@@ -55,9 +58,12 @@
http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php
References:
+ http://secpod.org/blog/?p=310
http://www.exploit-db.com/exploits/17550
http://packetstormsecurity.org/files/view/103166
http://packetstormsecurity.org/files/view/103162
+ http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
+ http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt
http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php
";
@@ -116,7 +122,9 @@
exit(0);
}
-vuln_cmds = make_list('ACCL', 'AUTH', 'APPE', 'ALLO', 'ACCT');
+vuln_cmds = make_list('ACCL', 'AUTH', 'APPE', 'ALLO', 'ACCT', 'DELE',
+ 'MDTM', 'RETR', 'RMD', 'STAT', 'SIZE', 'STOR',
+ 'RNTO', 'RNFR', 'STOU');
foreach cmd (vuln_cmds)
{
Modified: trunk/openvas-plugins/scripts/secpod_ms11-025.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-025.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/secpod_ms11-025.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -7,6 +7,10 @@
# Authors:
# Veerendra GG <veerendragg at secpod.com>
#
+# Updated by: Antu Sanadi <santu at secpod.com> on 2011-08-11
+# - Updated the file version check according to Bulletin
+# revision V3.0 (June 14, 2011) and V4.0 (August 9, 2011)
+#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
@@ -27,7 +31,7 @@
if(description)
{
script_id(900285);
- script_version("$Revision:1.0$");
+ script_version("$Revision: 1.1$");
script_bugtraq_id(42811);
script_cve_id("CVE-2010-3190");
script_tag(name:"cvss_base", value:"9.3");
@@ -44,8 +48,8 @@
loading external libraries.
Impact:
- Successful exploitation will let the attacker execute arbitrary code which may
- result in memory corruption on the affected system.
+ Successful exploitation will let the attacker execute arbitrary code which
+ may result in memory corruption on the affected system.
Impact Level: System/Application
@@ -62,8 +66,9 @@
References:
http://secunia.com/advisories/41212
+ http://support.microsoft.com/kb/2565057
http://www.microsoft.com/technet/security/Bulletin/MS11-025.mspx ";
-
+
script_description(desc);
script_summary("Check for the vulnerable Visual Studio and dll file version");
script_category(ACT_GATHER_INFO);
@@ -83,8 +88,8 @@
include("secpod_smb_func.inc");
## MS11-025 Hotfix check
-if((hotfix_missing(name:"2465367") == 0)||(hotfix_missing(name:"2465361") == 0)
- || (hotfix_missing(name:"2455033") == 0)) {
+if((hotfix_missing(name:"2538218") == 0)||(hotfix_missing(name:"2538241") == 0) ||
+ (hotfix_missing(name:"2542054") == 0)||(hotfix_missing(name:"2565057") == 0)){
exit(0);
}
@@ -103,8 +108,8 @@
studioPath = registry_get_sz(key:"SOFTWARE\Microsoft\VisualStudio\9.0",
item:"InstallDir");
if(studioPath){
- atlPath = studioPath - "\Common7\IDE"+"VC\redist\x86\Microsoft.VC90.ATL"+
- "\atl90.dll";
+ atlPath = studioPath - "\Common7\IDE" + "VC\redist\x86" +
+ "\Microsoft.VC90.ATL" + "\atl90.dll";
}
else
{
@@ -123,15 +128,16 @@
share = ereg_replace(pattern:"([A-Za-z]):.*", replace:"\1$", string:atlPath);
file = ereg_replace(pattern:"[A-Za-z]:(.*)", replace:"\1", string:atlPath);
atlVer = GetVer(file:file, share:share);
-
if(atlVer != NULL)
{
- ## Check for Visual Studio 2005 version 8.0 < 8.0.50727.5592,
- ## Visual Studio 2008 SP1 version 9.0 < 9.0.30729.5570 and
- ## Visual Studio 2010 version 10.0 < 10.0.30319.415
- if(version_in_range(version:atlVer, test_version:"8.0", test_version2:"8.0.50727.5591") ||
- version_in_range(version:atlVer, test_version:"9.0", test_version2:"9.0.30729.5569") ||
- version_in_range(version:atlVer, test_version:"10.0",test_version2:"10.0.30319.414"))
+ ## Check for Visual Studio 2005 version 8.0 < 8.0.50727.6195
+ ## Visual Studio 2008 SP1 version 9.0 < 9.0.30729.6161 and
+ ## Visual Studio 2010 version 10.0 < 10.0.30319.460
+ ## Visual Studio 2010 SP1 10 < 10.0.40219.325
+ if(version_in_range(version:atlVer, test_version:"8.0", test_version2:"8.0.50727.6194") ||
+ version_in_range(version:atlVer, test_version:"9.0", test_version2:"9.0.30729.6160") ||
+ version_in_range(version:atlVer, test_version:"10.0.30000.000",test_version2:"10.0.30319.459") ||
+ version_in_range(version:atlVer, test_version:"10.0.40000.000",test_version2:"10.0.40219.324"))
{
security_hole(0);
exit(0);
Modified: trunk/openvas-plugins/scripts/secpod_ms11-043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-043.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/secpod_ms11-043.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -7,6 +7,10 @@
# Authors:
# Veerendra GG <veerendragg at secpod.com>
#
+# Updated By: Antu Sanadi <santu at secpod.com> on 2011-08-11
+# - Updated the version check according to the bulletin
+# release V2.0 (August 9, 2011)
+#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
@@ -27,7 +31,7 @@
if(description)
{
script_id(900287);
- script_version("$Revision$:1.0");
+ script_version("$Revision$:1.1");
script_bugtraq_id(48184);
script_cve_id("CVE-2011-1268");
script_tag(name:"cvss_base", value:"10.0");
@@ -42,8 +46,8 @@
validate specially crafted SMB responses.
Impact:
- Successful exploitation could allow remote attacker to execute arbitrary
- code by creating a specially crafted SMB responses.
+ Successful exploitation could allow remote attacker to execute arbitrary code
+ by creating a specially crafted SMB responses.
Impact Level: System
@@ -109,8 +113,8 @@
SP = get_kb_item("SMB/WinXP/ServicePack");
if("Service Pack 3" >< SP)
{
- ## Check for Mrxsmb.sys version < 5.1.2600.6108
- if(version_is_less(version:sysVer, test_version:"5.1.2600.6108")){
+ ## Check for Mrxsmb.sys version < 5.1.2600.6133
+ if(version_is_less(version:sysVer, test_version:"5.1.2600.6133")){
security_hole(0);
}
exit(0);
@@ -124,8 +128,8 @@
SP = get_kb_item("SMB/Win2003/ServicePack");
if("Service Pack 2" >< SP)
{
- ## Check for Mrxsmb.sys version < 5.2.3790.4861
- if(version_is_less(version:sysVer, test_version:"5.2.3790.4861")){
+ ## Check for Mrxsmb.sys version < 5.2.3790.4883
+ if(version_is_less(version:sysVer, test_version:"5.2.3790.4883")){
security_hole(0);
}
exit(0);
Modified: trunk/openvas-plugins/scripts/smtp_relay2.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smtp_relay2.nasl 2011-08-12 10:24:32 UTC (rev 11444)
+++ trunk/openvas-plugins/scripts/smtp_relay2.nasl 2011-08-12 12:44:50 UTC (rev 11445)
@@ -38,28 +38,29 @@
{
script_id(11852);
script_version ("$Revision$");
+ script_cve_id("CVE-1999-0512");
script_tag(name:"risk_factor", value:"Medium");
name = "Mail relaying (thorough test)";
script_name(name);
-
+
desc = "
The remote SMTP server appears to be insufficiently protected against relaying
-This means that spammers might be able to use your mail server
+This means that spammers might be able to use your mail server
to send their mails to the world.
Risk factor : Medium
-Solution : upgrade your software or improve the configuration so that
+Solution : upgrade your software or improve the configuration so that
your SMTP server cannot be used as a relay any more.";
script_description(desc);
- summary = "Tries misc invalid tricks to circumvent anti-relay functions";
+ summary = "Tries misc invalid tricks to circumvent anti-relay functions";
script_summary(summary);
-
+
script_category(ACT_GATHER_INFO);
-
+
script_copyright("This script is Copyright (C) 2003 Michel Arboi");
-
+
family = "SMTP problems";
script_family(family);
script_dependencie("smtpserver_detect.nasl", "sendmail_expn.nasl",
@@ -93,7 +94,7 @@
soc = smtp_open(port: port, helo: NULL);
if (! soc) exit(0);
-
+
dest_name = get_host_name();
dest_ip = get_host_ip();
dest_name = get_host_name();
@@ -180,7 +181,7 @@
rep = strcat(rep, '\t', mf, '\n\t', rt, '\n\n');
break;
}
-
+
smtp_close(socket: soc);
soc = smtp_open(port: port, helo: NULL);
}
@@ -190,12 +191,12 @@
{
report = strcat("
The remote SMTP server is insufficiently protected against relaying
-This means that spammers might be able to use your mail server
+This means that spammers might be able to use your mail server
to send their mails to the world.
OpenVAS was able to relay mails by sending those sequences:
-",
+",
rep, "Risk factor : Medium
Solution : upgrade your software or improve the configuration so that
More information about the Openvas-commits
mailing list