[Openvas-commits] r12115 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Nov 15 14:00:19 CET 2011


Author: mime
Date: 2011-11-15 14:00:13 +0100 (Tue, 15 Nov 2011)
New Revision: 12115

Added:
   trunk/openvas-plugins/scripts/gb_apache_50639.nasl
   trunk/openvas-plugins/scripts/gb_cacti_50671.nasl
   trunk/openvas-plugins/scripts/gb_cms_made_simple_50659.nasl
   trunk/openvas-plugins/scripts/gb_labwiki_50608.nasl
   trunk/openvas-plugins/scripts/gb_proftpd_50631.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gb_apache_etag_6939.nasl
   trunk/openvas-plugins/scripts/gb_dell_kace_2000_backdoor.nasl
Log:
Added new plkugins. Added BID and CVSS. Added CVE and CVSS.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/ChangeLog	2011-11-15 13:00:13 UTC (rev 12115)
@@ -1,3 +1,18 @@
+2011-11-15  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/gb_labwiki_50608.nasl,
+	scripts/gb_proftpd_50631.nasl,
+	scripts/gb_cms_made_simple_50659.nasl,
+	scripts/gb_apache_50639.nasl,
+	scripts/gb_cacti_50671.nasl:
+	Added new plugins.
+
+	* scripts/gb_dell_kace_2000_backdoor.nasl:
+	Added BID and CVSS.
+
+	* scripts/gb_apache_etag_6939.nasl:
+	Added CVE and CVSS.
+
 2011-11-11  Antu Sanadi <santu at secpod.com>
 
 	* scripts/gb_ms_fraudulent_digital_cert_spoofing_vuln.nasl:

Added: trunk/openvas-plugins/scripts/gb_apache_50639.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apache_50639.nasl	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/scripts/gb_apache_50639.nasl	2011-11-15 13:00:13 UTC (rev 12115)
@@ -0,0 +1,95 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Apache HTTP Server 'ap_pregsub()' Function Local Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103333);
+ script_bugtraq_id(50639);
+ script_cve_id("CVE-2011-4415");
+ script_tag(name:"cvss_base", value:"1.2");
+ script_version ("$Revision$");
+
+ script_name("Apache HTTP Server 'ap_pregsub()' Function Local Denial of Service Vulnerability");
+
+desc = "Overview:
+Apache HTTP Server is prone to a local denial-of-service
+vulnerability because of a NULL-pointer dereference error or a
+memory exhaustion.
+
+Local attackers can exploit this issue to trigger a NULL-pointer
+dereference or memory exhaustion, and cause a server crash, denying
+service to legitimate users.
+
+Note: To trigger this issue, 'mod_setenvif' must be enabled and the
+      attacker should be able to place a malicious '.htaccess' file on
+      the affected webserver.
+
+Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21 are
+vulnerable. Other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/50639
+http://httpd.apache.org/
+http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
+http://www.gossamer-threads.com/lists/apache/dev/403775";
+
+ script_tag(name:"risk_factor", value:"Low");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-15 12:33:51 +0100 (Tue, 15 Nov 2011)");
+ script_description(desc);
+ script_summary("Determine if installed Apache version is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("http_version.nasl", "secpod_apache_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+include("global_settings.inc");
+
+if ( report_paranoia < 2 ) exit(0); # this nvt is prone to FP
+
+httpdPort = get_http_port(default:80);
+if(!httpdPort){
+    exit(0);
+}
+
+version = get_kb_item("www/" + httpdPort + "/Apache");
+
+if(version != NULL){
+
+  if(version_in_range(version:version, test_version:"2.0",test_version2:"2.0.64") ||
+     version_in_range(version:version, test_version:"2.2",test_version2:"2.2.21")) {
+       security_note(port:httpdPort);
+       exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_apache_50639.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Modified: trunk/openvas-plugins/scripts/gb_apache_etag_6939.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apache_etag_6939.nasl	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/scripts/gb_apache_etag_6939.nasl	2011-11-15 13:00:13 UTC (rev 12115)
@@ -60,6 +60,8 @@
  script_tag(name:"last_modification", value:"$Date$");
  script_tag(name:"creation_date", value:"2011-03-21 17:38:45 +0100 (Mon, 21 Mar 2011)");
  script_bugtraq_id(6939);
+ script_cve_id("CVE-2003-1418");
+ script_tag(name:"cvss_base", value:"4.3");
 
  script_name("Apache Web Server ETag Header Information Disclosure Weakness");
 

Added: trunk/openvas-plugins/scripts/gb_cacti_50671.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cacti_50671.nasl	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/scripts/gb_cacti_50671.nasl	2011-11-15 13:00:13 UTC (rev 12115)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Cacti Unspecified SQL Injection and Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103319);
+ script_bugtraq_id(50671);
+ script_version ("$Revision$");
+
+ script_name("Cacti Unspecified SQL Injection and Cross Site Scripting Vulnerabilities");
+
+desc = "Overview:
+Cacti is prone to an SQL-injection vulnerability and a cross-site
+scripting vulnerability because it fails to sufficiently sanitize user-
+supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-
+based authentication credentials, compromise the application,
+access or modify data, or exploit latent vulnerabilities in the
+underlying database.
+
+Cacti 0.8.7g is vulnerable; other versions may also be affected.
+
+Solution:
+The vendor has released fixes. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/50671
+http://cacti.net/
+http://www.cacti.net/release_notes_0_8_7h.php";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-15 08:09:39 +0100 (Tue, 15 Nov 2011)");
+ script_description(desc);
+ script_summary("Determine if installed Cacti version is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("cacti_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(vers = get_version_from_kb(port:port,app:"cacti")) {
+
+  if(version_is_less(version: vers, test_version: "0.8.7h")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_cacti_50671.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Added: trunk/openvas-plugins/scripts/gb_cms_made_simple_50659.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cms_made_simple_50659.nasl	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/scripts/gb_cms_made_simple_50659.nasl	2011-11-15 13:00:13 UTC (rev 12115)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# CMS Made Simple Remote Database Corruption Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103332);
+ script_bugtraq_id(50659);
+ script_version ("$Revision$");
+
+ script_name("CMS Made Simple Remote Database Corruption Vulnerability");
+
+desc = "Overview:
+CMS Made Simple is prone to a vulnerability that could result in the
+corruption of the database.
+
+An attacker can exploit this vulnerability to corrupt the database.
+
+Versions prior to CMS Made Simple 1.9.4.3 are vulnerable.
+
+Solution:
+Updates are available. Please see the references for more details.
+
+References:
+http://www.securityfocus.com/bid/50659
+http://www.cmsmadesimple.org/2011/08/Announcing-CMSMS-1-9-4-3---Security-Release/
+http://www.cmsmadesimple.org/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-15 11:29:14 +0100 (Tue, 15 Nov 2011)");
+ script_description(desc);
+ script_summary("Determine if installed CMS Made Simple is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("cms_made_simple_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if (!can_host_php(port:port)) exit(0);
+
+if(vers = get_version_from_kb(port:port,app:"cms_made_simple")) {
+
+  if(version_is_less(version: vers, test_version: "1.9.4.3")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_cms_made_simple_50659.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Modified: trunk/openvas-plugins/scripts/gb_dell_kace_2000_backdoor.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_dell_kace_2000_backdoor.nasl	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/scripts/gb_dell_kace_2000_backdoor.nasl	2011-11-15 13:00:13 UTC (rev 12115)
@@ -28,6 +28,8 @@
 {
  script_id(103318);
  script_cve_id("CVE-2011-4046");
+ script_bugtraq_id(50605);
+ script_tag(name:"cvss_base", value:"6.5");
  script_version ("$Revision$");
 
  script_name("Dell KACE K2000 Backdoor");

Added: trunk/openvas-plugins/scripts/gb_labwiki_50608.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_labwiki_50608.nasl	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/scripts/gb_labwiki_50608.nasl	2011-11-15 13:00:13 UTC (rev 12115)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# LabWiki Multiple Cross Site Scripting And Arbitrary File Upload Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103330);
+ script_bugtraq_id(50608);
+ script_version ("$Revision$");
+
+ script_name("LabWiki Multiple Cross Site Scripting And Arbitrary File Upload Vulnerabilities");
+
+desc = "Overview:
+LabWiki is prone to multiple cross-site scripting and arbitrary file
+upload vulnerabilities because the software fails to sufficiently
+sanitize user-supplied input
+
+An attacker may leverage these issues to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected
+site and to upload arbitrary files and execute arbitrary code with
+administrative privileges. This may allow the attacker to steal cookie-
+based authentication credentials and to launch other attacks.
+
+LabWiki 1.1 and prior are vulnerable.
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/50608
+http://www.bioinformatics.org/phplabware/labwiki/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-15 09:50:33 +0100 (Tue, 15 Nov 2011)");
+ script_description(desc);
+ script_summary("Determine if installed LabWiki is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/LabWiki","/labwiki","/wiki",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir,'/index.php?from=";></><script>alert(/openvas-xss-test/)</script>&help=true&page=What_is_wiki'); 
+
+  if(http_vuln_check(port:port, url:url,pattern:"<script>alert\(/openvas-xss-test/\)</script>",check_header:TRUE)) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_labwiki_50608.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Added: trunk/openvas-plugins/scripts/gb_proftpd_50631.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_proftpd_50631.nasl	2011-11-14 17:54:07 UTC (rev 12114)
+++ trunk/openvas-plugins/scripts/gb_proftpd_50631.nasl	2011-11-15 13:00:13 UTC (rev 12115)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# ProFTPD Prior To 1.3.3g Use-After-Free Remote Code Execution Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103331);
+ script_bugtraq_id(50631);
+ script_version ("$Revision$");
+
+ script_name("ProFTPD Prior To 1.3.3g Use-After-Free Remote Code Execution Vulnerability");
+
+desc = "Overview:
+ProFTPD is prone to a remote code-execution vulnerability.
+
+Successful exploits will allow attackers to execute arbitrary code
+within the context of the application. Failed exploit attempts will
+result in a denial-of-service condition.
+
+ProFTPD prior to 1.3.3g are vulnerable.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/50631
+http://bugs.proftpd.org/show_bug.cgi?id=3711
+http://www.proftpd.org
+http://www.zerodayinitiative.com/advisories/ZDI-11-328/";
+
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-15 10:15:56 +0100 (Tue, 15 Nov 2011)");
+ script_description(desc);
+ script_summary("Determine if ProFTPD version is vulnerable");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("secpod_proftpd_server_remote_detect.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("version_func.inc");
+include("global_settings.inc");
+
+if ( report_paranoia < 2 ) exit(0); # this nvt is prone to FP.
+
+## Get FTP Port
+port = get_kb_item("Services/ftp");
+if(!port){
+    port = 21;
+}
+
+if(!get_port_state(port)){
+    exit(0);
+}
+
+## Get Version from KB
+version = get_kb_item("ProFTPD/Ver");
+if(!isnull(version))
+{
+    ## Check for ProFTPD versions prior to 1.3.2rc3
+    if(version_is_less(version:version,  test_version:"1.3.3g")){
+          security_hole(port);
+	  exit(0);
+    }
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_proftpd_50631.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date



More information about the Openvas-commits mailing list