[Openvas-commits] r11614 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Sep 14 16:05:53 CEST 2011


Author: veerendragg
Date: 2011-09-14 16:05:49 +0200 (Wed, 14 Sep 2011)
New Revision: 11614

Added:
   trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl
   trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_ms11-070.nasl
   trunk/openvas-plugins/scripts/secpod_ms11-071.nasl
   trunk/openvas-plugins/scripts/secpod_ms11-072.nasl
   trunk/openvas-plugins/scripts/secpod_ms11-073.nasl
   trunk/openvas-plugins/scripts/secpod_ms11-074.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/cpe.inc
   trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl
Log:
Added new plugins. Added MS bulletin plugins - September 2011. Fixed FP and Added New CPE.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/ChangeLog	2011-09-14 14:05:49 UTC (rev 11614)
@@ -1,3 +1,24 @@
+2011-09-14  Veerendra G.G <veerendragg at secpod.com>
+
+	* scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl,
+	scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl,
+	scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl,
+	scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl,
+	scripts/gb_advanced_image_hosting_xss_vuln.nasl,
+	scripts/gb_ibm_openadmin_tool_detect.nasl:
+	Added new plugins.
+
+	* scripts/secpod_ms11-070.nasl,
+	scripts/secpod_ms11-071.nasl,
+	scripts/secpod_ms11-072.nasl,
+	scripts/secpod_ms11-073.nasl,
+	scripts/secpod_ms11-074.nasl:
+	Added MS bulletin plugins - September 2011.
+
+	* scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl,
+	scripts/cpe.inc:
+	Fixed FP and Added New CPE.
+
 2011-09-14  Michael Meyer <michael.meyer at greenbone.net>
 
 	* * scripts/gb_sharepoint_39776.nasl,

Modified: trunk/openvas-plugins/scripts/cpe.inc
===================================================================
--- trunk/openvas-plugins/scripts/cpe.inc	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/cpe.inc	2011-09-14 14:05:49 UTC (rev 11614)
@@ -927,7 +927,8 @@
 "Adobe/Flash/Player/MacOSX/Version", "^([0-9.]+)", "cpe:/a:adobe:flash_player:",
 "Adobe/Air/MacOSX/Version", "^([0-9.]+)", "cpe:/a:adobe:adobe_air:",
 "RealPlayer/MacOSX/Version", "^([0-9.]+)", "cpe:/a:realnetworks:realplayer:",
-"Tcptrack/Ver", "^([0-9.]+)", "cpe:/a:rhythm:tcptrack:"
+"Tcptrack/Ver", "^([0-9.]+)", "cpe:/a:rhythm:tcptrack:",
+"www/*/IBM/Open/Admin/Tool", "^([0-9.]+)", "cpe:/a:ibm:openadmin_tool:"
 );
 
 

Added: trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_advanced_image_hosting_xss_vuln.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_advanced_image_hosting_xss_vuln.nasl 16995 2011-09-08 17:35:01Z sep $
+#
+# Advanced Image Hosting Cross Site Scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802155);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Advanced Image Hosting Cross Site Scripting Vulnerability");
+  desc = "
+  Overview: This host is running Advanced Image Hosting and is prone to cross
+  site scripting vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to failure in the 'report.php' script to properly
+  sanitize user supplied input in 'img_id' parameter.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary script code
+  in the browser of an unsuspecting user in the context of the affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Advanced Image Hosting version 2.3
+
+  Fix: No solution or patch is available as on 08th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://yabsoft.com/products.php
+
+  References:
+  http://packetstormsecurity.org/files/view/104799/aihimgid-xss.txt ";
+
+  script_description(desc);
+  script_summary("Check if Advanced Image Hosting is vulnerable to XSS");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+  exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/aihspro", "/aih", "/"))
+{
+  ## Send and Receive the response
+  req = http_get(item:string(dir,"/index.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the application
+  if("Powered by:" >< res && '>AIH' >< res)
+  {
+    req = http_get(item:string(dir, '/report.php?img_id="><script>alert' +
+            '(document.cookie)</script>'), port:port);
+    res = http_keepalive_send_recv(port:port, data:req);
+
+    ## Confirm exploit worked by checking the response
+    if('"><script>alert(document.cookie)</script>' >< res)
+    {
+      security_warning(port);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,126 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_atutor_achecker_mult_sql_inj_n_xss_vuln.nasl 16587 2011-09-12 22:35:01Z sep $
+#
+# Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801982);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49061, 49093);
+  script_tag(name:"cvss_base", value:"6.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities");
+  desc = "
+  Overview: This host is running Atutor AChecker and is prone to multiple
+  cross site scripting and SQL injection vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to an,
+  - Input passed via the parameter 'myown_patch_id' in '/updater/patch_edit.php'
+    and the parameter 'id' in '/user/user_create_edit.php' script is not
+    properly sanitised before being used in SQL queries.
+  - Input through the GET parameters 'id', 'p' and 'myown_patch_id' in
+    multiple scripts is not sanitized allowing the attacker to execute HTML
+    code or disclose the full path of application's residence.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary script code
+  or to compromise the application, access or modify data, or exploit latent
+  vulnerabilities in the underlying database.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Atutor AChecker 1.2 (build r530)
+
+  Fix: No solution or patch is available as on 12th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer,  http://www.atutor.ca
+
+  References:
+  http://www.exploit-db.com/exploits/17630/
+  http://packetstormsecurity.org/files/view/103763/ZSL-2011-5035.txt
+  http://packetstormsecurity.org/files/view/103762/ZSL-2011-5034.txt ";
+
+  script_description(desc);
+  script_summary("Check if Atutor AChecker is vulnerable to XSS/SQL Injection");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+  exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/AChecker", "/Atutor/AChecker", "/"))
+{
+  ## Send and Receive the response
+  req = http_get(item:string(dir,"/checker/index.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the application
+  if("Web Accessibility Checker<" >< res && '>Check Accessibility' >< res)
+  {
+    ## Construct the XSS Attack
+    req = http_get(item:string(dir, '/documentation/frame_header.php?p="' +
+                   '><script>alert(document.cookie)</script>'), port:port);
+    res = http_keepalive_send_recv(port:port, data:req);
+
+    ## Confirm exploit worked by checking the response
+    if('"><script>alert(document.cookie)</script>' >< res)
+    {
+      security_hole(port);
+      exit(0);
+    }
+
+    ## Construct the SQL attack
+    req = http_get(item:string(dir, "/user/user_create_edit.php?id='1111"),
+                   port:port);
+    res = http_keepalive_send_recv(port:port, data:req);
+
+    ## Confirm exploit worked by checking the response
+    if('You have an error in your SQL syntax;' >< res)
+    {
+      security_hole(port);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,125 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_atutor_acontent_mult_sql_inj_n_xss_vuln.nasl 16588 2011-09-12 17:35:01Z sep $
+#
+# Atutor AContent Multiple SQL Injection and XSS Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801985);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49066);
+  script_tag(name:"cvss_base", value:"6.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Atutor AContent Multiple SQL Injection and XSS Vulnerabilities");
+  desc = "
+  Overview: This host is running Atutor AContent and is prone to multiple
+  cross site scripting and SQL injection vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to an,
+  - Input passed via multiple parameters in multiple scripts is not properly
+    sanitised before being used in SQL queries.
+  - Input passed via multiple parameters in multiple scripts via GET and POST
+    method is not properly sanitised before being used.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary script code
+  or to compromise the application, access or modify data, or exploit latent
+  vulnerabilities in the underlying database.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Atutor AContent version 1.1 (build r296)
+
+  Fix: No solution or patch is available as on 12th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer,  http://www.atutor.ca
+
+  References:
+  http://www.exploit-db.com/exploits/17629/
+  http://packetstormsecurity.org/files/view/103761/ZSL-2011-5033.txt
+  http://packetstormsecurity.org/files/view/103760/ZSL-2011-5032.txt
+  http://packetstormsecurity.org/files/view/103759/ZSL-2011-5031.txt " ;
+
+  script_description(desc);
+  script_summary("Check if Atutor AContent is vulnerable to XSS/SQL Injection");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+  exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/AContent", "/Atutor/AContent", "/"))
+{
+  ## Send and Receive the response
+  req = http_get(item:string(dir,"/home/index.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the application
+  if(">AContent Handbook<" >< res && '>AContent</' >< res)
+  {
+    ## Construct the XSS Attack
+    req = http_get(item:string(dir, '/documentation/frame_header.php?p="><sc' +
+                   'ript>alert(document.cookie)</script>'), port:port);
+    res = http_keepalive_send_recv(port:port, data:req);
+
+    ## Confirm exploit worked by checking the response
+    if('"><script>alert(document.cookie)</script>' >< res)
+    {
+      security_hole(port);
+      exit(0);
+    }
+
+    ## Construct the SQL attack
+    req = http_get(item:string(dir, "/documentation/search.php?p=home&query=" +
+                               "'111&search=Search"), port:port);
+    res = http_keepalive_send_recv(port:port, data:req);
+
+    ## Confirm exploit worked by checking the response
+    if('You have an error in your SQL syntax;' >< res)
+    {
+      security_hole(port);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_detect.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,73 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_openadmin_tool_detect.nasl 17030 2011-09-12 17:10:36Z sep $
+#
+# IBM Open Admin Tool Version Detection
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802158);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"risk_factor", value:"None");
+  script_name("IBM Open Admin Tool Version Detection");
+  desc = "
+  Overview: This script finds the installed IBM Open Admin Tool version and
+  saves the result in KB.";
+
+  script_description(desc);
+  script_summary("Set the version of IBM Open Admin Tool in KB");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Service detection");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+port = get_http_port(default:8080);
+if(!port){
+  exit(0);
+}
+
+## Send and receive response
+sndReq = http_get(item:"/openadmin/index.php?act=help&do=aboutOAT", port:port);
+rcvRes = http_send_recv(port:port, data:sndReq);
+
+## Confirm the application
+if(">OpenAdmin Tool" >< rcvRes ||
+            "> OpenAdmin Tool Community Edition <" >< rcvRes)
+{
+  ## Grep for the version
+  ver = eregmatch(pattern:">Version:.*[^\n]", string:rcvRes);
+  ver = eregmatch(pattern:"([0-9.]+)", string:ver[0]);
+  if(ver[1] != NULL)
+  {
+    ## Set the KB value
+    set_kb_item(port:uniPort, name:"www/" + port + "/IBM/Open/Admin/Tool",
+                                                value:ver[1]);
+    security_note(data:"IBM Open Admin Tool version " + ver[1] +
+                                       " was detected on the host");
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_ibm_openadmin_tool_mult_xss_vuln.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,93 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ibm_openadmin_tool_mult_xss_vuln.nasl 17030 2011-09-12 18:20:29 sep $
+#
+# IBM Open Admin Tool 'index.php' Multiple Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802159);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-3390");
+  script_bugtraq_id(49364);
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("IBM Open Admin Tool 'index.php' Multiple Cross-Site Scripting Vulnerability");
+  desc = "
+  Overview: This host is running IBM Open Admin Tool and is prone to multiple
+  cross-site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to the improper validation of user supplied input
+  via 'host', 'port', 'username', 'userpass' and 'informixserver' parameters
+  in 'index.php'.
+
+  Impact:
+  Successful exploitation will allow attackers to execute arbitrary HTML and
+  script code in a user's browser session in the context of an affected site
+  and steal the victim's cookie-based authentication credentials.
+
+  Impact Level: Application.
+
+  Affected Software:
+  IBM OpenAdmin Tool (OAT) version before 2.72
+
+  Fix: Upgrade to IBM OpenAdmin Tool (OAT) version 2.72 or later
+  For updates refer, https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=swg-informixfpd&lang=en_US&S_PKG=dl&cp=UTF-8
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/69488
+  http://voidroot.blogspot.com/2011/08/xss-in-ibm-open-admin-tool.html
+  http://packetstormsecurity.org/files/view/104617/ibmopenadmin-xss.txt
+  http://www.securityfocus.com/archive/1/archive/1/519468/100/0/threaded ";
+
+  script_description(desc);
+  script_summary("Check for the version of IBM Open Admin Tool");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_dependencies("gb_ibm_openadmin_tool_detect.nasl");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:8080);
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## GET the version from KB
+ver = get_kb_item("www/" + port + "/IBM/Open/Admin/Tool");
+if(!ver){
+  exit(0);
+}
+
+## Check the IBM Open Admin Tool less than 2.72
+if(version_is_less(version:ver, test_version:"2.72")){
+  security_warning(port);
+}

Modified: trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_ms_win_fraudulent_digital_cert_spoofing_vuln.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -27,7 +27,7 @@
 if(description)
 {
   script_id(801975);
-  script_version("$Revision: 1.0$");
+  script_version("$Revision: 1.1$");
   script_tag(name:"cvss_base", value:"5.0");
   script_tag(name:"risk_factor", value:"Medium");
   script_name("Fraudulent Digital Certificates Spoofing Vulnerability (2607712)");
@@ -85,6 +85,6 @@
 }
 
 ## Check Hotfix 2607712
-if(!(hotfix_missing(name:"2607712") == 0)){
+if((hotfix_missing(name:"2607712") == 1)){
   security_warning(0);
 }

Added: trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_snitz_forums_2000_xss_n_sql_inj_vuln.nasl 16868 2011-09-13 12:12:12Z sep $
+#
+# Snitz Forums 2000 'members.asp' SQL Injection and Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802243);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(45381);
+  script_cve_id("CVE-2010-4826", "CVE-2010-4827");
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Snitz Forums 2000 'members.asp' SQL Injection and Cross Site Scripting Vulnerabilities");
+  desc = "
+  Overview: The host is running Snitz and is prone to SQL injection and cross
+  site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  - Input passed to the 'M_NAME' parameter in members.asp is not properly
+    sanitised before being returned to the user. This can be exploited to
+    execute arbitrary HTML and script code in a user's browser session in
+    context of an affected site.
+  - Input passed to the 'M_NAME' parameter in members.asp is not properly
+    sanitised before being used in SQL queries. This can be exploited to
+    manipulate SQL queries by injecting arbitrary SQL code.
+
+  Impact:
+  Successful exploitation could allow an attacker to steal cookie-based
+  authentication credentials, compromise the application, access or modify
+  data, or exploit latent vulnerabilities in the underlying database.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Snitz Forums 2000 version 3.4.07
+
+  Fix: Apply the patch from below link,
+  http://forum.snitz.com/forum/topic.asp?TOPIC_ID=69770
+
+  *****
+  NOTE : Ignore this warning, if above mentioned patch is applied already.
+  *****
+
+  References:
+  http://osvdb.org/69794
+  http://secunia.com/advisories/42308
+  http://forum.snitz.com/forum/topic.asp?TOPIC_ID=69770 ";
+
+  script_description(desc);
+  script_summary("Check for the version of Snitz Forums");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("snitz_forums_2000_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Get version from KB
+ver =  get_version_from_kb(port:port, app:"SnitzForums");
+if(ver)
+{
+  ## Check Snitz Forums 2000 version 3.4.07
+  if(version_is_equal(version:ver, test_version:"3.4.07")){
+    security_hole(port);
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_ms11-070.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-070.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-070.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,138 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-070.nasl 17072 2011-09-14 10:10:10Z sep $
+#
+# Microsoft Windows WINS Local Privilege Escalation Vulnerability (2571621)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902566);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-1984");
+  script_bugtraq_id(49523);
+  script_tag(name:"cvss_base", value:"6.8");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Microsoft Windows WINS Local Privilege Escalation Vulnerability (2571621)");
+  desc = "
+  Overview: This host has important security update missing according to
+  Microsoft Bulletin MS11-070.
+
+  Vulnerability Insight:
+  The flaw is caused by an error in the Windows Internet Name Service (WINS)
+  when handling handling a series of malformed packets sent over the loopback
+  interface, leading to arbitrary code execution with elevated privileges.
+
+  Impact:
+  Successful exploits will allow local attackers to execute arbitrary code with
+  local system privileges and potentially compromise the affected computer.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Microsoft Windows 2K3 Service Pack 2 and prior
+  Microsoft Windows Server 2008 Service Pack 2 and prior
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-070
+
+  References:
+  http://support.microsoft.com/kb/2571621
+  http://www.exploit-db.com/exploits/17831/
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-070
+  http://www.coresecurity.com/content/ms-wins-ecommenddlg-input-validation ";
+
+  script_description(desc);
+  script_summary("Check for the vulnerable 'Wins.exe' file version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(win2003:3, win2008:3) <= 0){
+  exit(0);
+}
+
+## MS11-070 Hotfix (2571621)
+if(hotfix_missing(name:"2571621") == 0){
+  exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(!sysPath ){
+  exit(0);
+}
+
+## Confirm WINS Installation
+if(!registry_key_exists(key:"SYSTEM\CurrentControlSet\Services\WINS")){
+  exit(0);
+}
+
+## Get Version from Wins.exe file
+exeVer = fetch_file_version(syspath, file_name:"system32\Wins.exe");
+if(!exeVer){
+  exit(0);
+}
+
+## Windows 2003
+if(hotfix_check_sp(win2003:3) > 0)
+{
+  SP = get_kb_item("SMB/Win2003/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    ## Check for Wins.exe version
+    if(version_is_less(version:exeVer, test_version:"5.2.3790.4893")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}
+
+## Windows Server 2008
+else if(hotfix_check_sp(win2008:3) > 0)
+{
+  SP = get_kb_item("SMB/Win2008/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    ## Check for Wins.exe version
+    if(version_is_less(version:exeVer, test_version:"6.0.6002.18501") ||
+       version_in_range(version:exeVer, test_version:"6.0.6002.22000", test_version2:"6.0.6002.22692")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}

Added: trunk/openvas-plugins/scripts/secpod_ms11-071.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-071.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-071.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,149 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-071.nasl 17073 2011-09-14 09:00:35Z sep $
+#
+# Microsoft Windows Components Remote Code Execution Vulnerabilities (2570947)
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(901205);
+  script_version("$Revision$:1.0");
+  script_bugtraq_id(47741);
+  script_cve_id("CVE-2011-1991");
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Microsoft Windows Components Remote Code Execution Vulnerabilities (2570947)");
+  desc = "
+  Overview: This host has important security update missing according to
+  Microsoft Bulletin MS11-071.
+
+  Vulnerability Insight:
+  The flaw exists when specific Windows components incorrectly restrict the
+  path used for loading external libraries. An attacker can exploit this
+  issue by enticing an unsuspecting victim to open a file on a remote SMB
+  or WebDAV share.
+
+  Impact:
+  Successful exploitation could allow remote attacker to execute arbitrary
+  code by enticing an unsuspecting victim to open a file on a remote SMB or
+  WebDAV share.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  Microsoft Windows 7 Service Pack 1 and prior.
+  Microsoft Windows XP Service Pack 3 and prior.
+  Microsoft Windows 2003 Service Pack 2 and prior.
+  Microsoft Windows Vista Service Pack 2 and prior.
+  Microsoft Windows Server 2008 Service Pack 2 and prior.
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-071
+
+  References:
+  http://support.microsoft.com/kb/2570947
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-071
+  ";
+
+  script_description(desc);
+  script_summary("Check for the registry and vulnerable file version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Check for OS and Service Pack
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:1) <= 0){
+  exit(0);
+}
+
+res = hotfix_missing(name:"2570947");
+
+## MS11-071 Hotfix (2570947)
+if(res == 0){
+  exit(0);
+}
+
+## For XP and 2003 only registry changes
+if((hotfix_check_sp(xp:4, win2003:3) == 1) && res == 1)
+{
+  security_hole(0);
+  exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(!sysPath ){
+  exit(0);
+}
+
+## Get Version from Imjpapi.dll files version
+sysVer = fetch_file_version(sysPath:sysPath,
+                            file_name:"\System32\IME\IMEJP10\Imjpapi.dll");
+if(!sysVer){
+  exit(0);
+}
+
+## Windows Vista and Windows Server 2008
+if(hotfix_check_sp(winVista:3, win2008:3) > 0)
+{
+  SP = get_kb_item("SMB/WinVista/ServicePack");
+
+  if(!SP) {
+    SP = get_kb_item("SMB/Win2008/ServicePack");
+  }
+
+  if("Service Pack 2" >< SP)
+  {
+    ## Check for Imjpapi.dll version
+    if(version_in_range(version:sysVer, test_version:"10.0.6002.18000", test_version2:"10.0.6002.18494")||
+       version_in_range(version:sysVer, test_version:"10.0.6002.22000", test_version2:"10.0.6002.22683")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}
+
+## Windows 7
+else if(hotfix_check_sp(win7:1) > 0)
+{
+  ## Check for Imjpapi.dll version
+  if(version_in_range(version:sysVer, test_version:"10.1.7600.16000", test_version2:"10.1.7600.16855")||
+     version_in_range(version:sysVer, test_version:"10.1.7600.20000", test_version2:"10.1.7600.21015")||
+     version_in_range(version:sysVer, test_version:"10.1.7601.17000", test_version2:"10.1.7601.17657")||
+     version_in_range(version:sysVer, test_version:"10.1.7601.21000", test_version2:"10.1.7601.21778")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_ms11-072.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-072.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-072.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,204 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-072.nasl 17074 2011-09-14 10:10:09Z sep $
+#
+# Microsoft Office Excel Remote Code Execution Vulnerabilities (2587505)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902727);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-1986", "CVE-2011-1987", "CVE-2011-1988",
+                "CVE-2011-1989", "CVE-2011-1990");
+  script_bugtraq_id(49476, 49477, 49478, 49518, 49517);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Microsoft Office Excel Remote Code Execution Vulnerabilities (2587505)");
+  desc = "
+  Overview: This host has important security update missing according to
+  Microsoft Bulletin MS11-072.
+
+  Vulnerability Insight:
+  The flaws are caused by memory corruption, array-indexing and use-after-free
+  errors when handling the crafted Excel files.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code
+  with the privileges of the user running the affected application.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Microsoft Excel 2003 Service Pack 3
+  Microsoft Excel 2007 Service Pack 2
+  Microsoft Office 2007 Service Pack 2
+  Microsoft Excel Viewer Service Pack 2
+  Microsoft Excel 2010 Service Pack 1 and prior
+  Microsoft Office 2010 Service Pack 1 and prior
+  Excel Services installed on Microsoft Office SharePoint Server 2007 Service Pack 2
+  Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-072
+
+  References:
+  http://secunia.com/advisories/45932/
+  http://support.microsoft.com/kb/2553072
+  http://support.microsoft.com/kb/2553073
+  http://support.microsoft.com/kb/2553089
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-072 ";
+
+  script_description(desc);
+  script_summary("Check for the version of vulnerable files");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_office_products_version_900032.nasl",
+                      "secpod_ms_office_detection_900025.nasl");
+  script_require_keys("SMB/Office/Excel/Version", "MS/Office/Ver",
+                      "SMB/Office/XLView/Version");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+# Check for Office Excel 2003/2007/2010
+excelVer = get_kb_item("SMB/Office/Excel/Version");
+if(excelVer =~ "^(11|12|14)\..*")
+{
+  # Check version Excel.exe
+  if(version_in_range(version:excelVer, test_version:"11.0", test_version2:"11.0.8340.0") ||
+     version_in_range(version:excelVer, test_version:"12.0", test_version2:"12.0.6565.5002") ||
+     version_in_range(version:excelVer, test_version:"14.0", test_version2:"14.0.6106.5004"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# Microsoft Office Excel Viewer 2007
+excelVer = get_kb_item(name:"SMB/Office/XLView/Version");
+if(!isnull(excelVer))
+{
+  # check for Xlview.exe  version
+  if(version_in_range(version:excelVer, test_version:"12.0", test_version2:"12.0.6565.4999"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+# Check for Office Compatibility Pack 2007
+if(get_kb_item("SMB/Office/ComptPack/Version") =~ "^12\..*")
+{
+  xlcnvVer = get_kb_item("SMB/Office/XLCnv/Version");
+  if(xlcnvVer)
+  {
+    # Check for Office Excel Converter 2007 version 12.0 < 12.0.6565.5003
+    if(version_in_range(version:xlcnvVer, test_version:"12.0", test_version2:"12.0.6565.5002"))
+    {
+      security_hole(0);
+      exit(0);
+    }
+  }
+}
+
+# Microsoft Office 2007 Service Pack 2 and
+# Microsoft Office 2010 Service Pack 1 and prior
+if(get_kb_item("MS/Office/Ver") =~ "^[12|14].*")
+{
+  ## Get the file version
+  path12 = registry_get_sz(key:"SOFTWARE\Microsoft\Office\12.0\Access\InstallRoot",
+                            item:"Path");
+  if(path12)
+  {
+    ## Get the file versions
+    ort12Ver = fetch_file_version(sysPath:path12, file_name:"Oart.dll");
+    ortconv12Ver = fetch_file_version(sysPath:path12, file_name:"Oartconv.dll");
+    if(!isnull(ort12Ver) || !isnull(ortconv12Ver))
+    {
+      ## Check the Oart.dll and Oartconv.dll files version
+      if(version_in_range(version:ort12Ver, test_version:"12", test_version2:"12.0.6565.4999") ||
+         version_in_range(version:ortconv12Ver, test_version:"12", test_version2:"12.0.6565.4999"))
+      {
+        security_hole(0);
+        exit(0);
+      }
+    }
+  }
+
+  ## Get the file version
+  path14 = registry_get_sz(key:"SOFTWARE\Microsoft\Office\14.0\Access\InstallRoot",
+                            item:"Path");
+  if(path14)
+  {
+    ## Get the file versions
+    ort14Ver = fetch_file_version(sysPath:path14, file_name:"Oart.dll");
+    ortconv14Ver = fetch_file_version(sysPath:path14, file_name:"Oartconv.dll");
+    if(!isnull(ort14Ver) || !isnull(ortconv14Ver))
+    {
+      ## Check the Oart.dll and Oartconv.dll files version
+      if(version_in_range(version:ort14Ver, test_version:"14", test_version2:"14.0.6106.5004") ||
+         version_in_range(version:ortconv14Ver, test_version:"14", test_version2:"14.0.6106.5004"))
+      {
+        security_hole(0);
+        exit(0);
+      }
+    }
+  }
+}
+
+## Microsoft Office Share Point server
+## Check for the existence of the server
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(!registry_key_exists(key:key)) {
+    exit(0);
+}
+
+foreach item (registry_enum_keys(key:key))
+{
+  appName = registry_get_sz(item:"DisplayName", key:key + item);
+  if("Microsoft Office SharePoint Server 2007" >< appName)
+  {
+    dllPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
+                           item:"CommonFilesDir");
+    if(dllPath)
+    {
+      dllPath += "\System\Ole DB";
+      dllVer = fetch_file_version(sysPath:dllPath, file_name:"Msmdcb80.dll");
+      if(dllVer)
+      {
+        ## Grep for Msmdcb80.dll versions
+        if(version_in_range(version:dllVer, test_version:"8.0", test_version2:"8.0.2277.0")){
+          security_hole(0);
+        }
+      }
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_ms11-073.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-073.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-073.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,114 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-073.nasl 17075 2011-09-14 11:11:11Z sep $
+#
+# Microsoft Office Remote Code Execution Vulnerabilites (2587634)
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902567);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_cve_id("CVE-2011-1980", "CVE-2011-1982");
+  script_bugtraq_id(49513, 49519);
+  script_name("Microsoft Office Remote Code Execution Vulnerabilites (2587634)");
+  desc = "
+  Overview: This host has important security update missing according to
+  Microsoft Bulletin MS11-073.
+
+  Vulnerability Insight:
+  - The flaw is caused due to the application loading libraries in an
+    insecure manner when attempting to validate an opened file. This can be
+    exploited to load arbitrary libraries by tricking a user into opening a
+    PPT file located on a remote WebDAV or SMB share.
+  - An error when parsing unspecified data can be exploited to dereference an
+    uninitialised value as an object pointer via a specially crafted Word
+    document.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code as
+  the logged-on user.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Microsoft Office 2003 Service Pack 3
+  Microsoft Office 2007 Service Pack 2
+  Microsoft Office 2010 Service Pack 1 and prior.
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-073
+
+  References:
+  http://secunia.com/advisories/45020
+  http://www.securitytracker.com/id/1026039
+  http://technet.microsoft.com/en-us/security/bulletin/ms11-073 ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mso.dll file");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_office_products_version_900032.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## MS Office 2003, 2007, 2010
+if(get_kb_item("MS/Office/Ver") =~ "^[11|12|14].*")
+{
+  ## Get Office File Path
+  path = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
+                            item:"CommonFilesDir");
+  if(! path) {
+    exit(0);
+  }
+
+  foreach ver (make_list("OFFICE11", "OFFICE12", "OFFICE14"))
+  {
+    ## Get Version from Mso.dll
+    offPath = path + "\Microsoft Shared\" + ver;
+    dllVer = fetch_file_version(sysPath:offPath, file_name:"Mso.dll");
+
+    if(dllVer)
+    {
+      ## Grep for Mso.dll versions
+      if(version_in_range(version:dllVer, test_version:"11.0", test_version2:"11.0.8340.0")   ||
+         version_in_range(version:dllVer, test_version:"12.0", test_version2:"12.0.6562.5002")||
+         version_in_range(version:dllVer, test_version:"14.0", test_version2:"14.0.6106.5004"))
+      {
+        security_hole(0);
+        exit(0);
+      }
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_ms11-074.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms11-074.nasl	2011-09-14 13:59:31 UTC (rev 11613)
+++ trunk/openvas-plugins/scripts/secpod_ms11-074.nasl	2011-09-14 14:05:49 UTC (rev 11614)
@@ -0,0 +1,185 @@
+########i#######################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms11-074.nasl 17076 2011-09-14 17076 10:40:09Z sep $
+#
+# Microsoft SharePoint Multiple Privilege Escalation Vulnerabilities (2451858)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902625);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-0653", "CVE-2011-1252", "CVE-2011-1890", "CVE-2011-1891",
+                "CVE-2011-1892", "CVE-2011-1893");
+  script_bugtraq_id(49002, 48199, 49010, 49005, 49511, 49004);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Microsoft SharePoint Multiple Privilege Escalation Vulnerabilities (2451858)");
+  desc = "
+  Overview: This host has important security update missing according to
+  Microsoft Bulletin MS11-074.
+
+  Vulnerability Insight:
+  Multiple flaws are due to the way Microsoft SharePoint validates and
+  sanitizes user input, parses malicious XML and XSL files and handles
+  script contained inside of specific request parameter.
+
+  Impact:
+  Successful exploitation could allow remote attackers to execute arbitrary
+  code on the system with elevated privileges via a specially crafted URL or
+  or a crafted Web site.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Microsoft Windows SharePoint Services 2.0
+  Microsoft Groove 2007 Service Pack 2 and prior
+  Microsoft Office SharePoint Server 2007 Service Pack 2
+  Microsoft Windows SharePoint Services 3.0 Service Pack 2
+  Microsoft Office SharePoint Workspace 2010 Service Pack 1 and prior
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://www.microsoft.com/technet/security/bulletin/ms11-074.mspx
+
+  References:
+  http://support.microsoft.com/kb/2451858
+  http://www.microsoft.com/technet/security/bulletin/ms11-074.mspx ";
+
+  script_description(desc);
+  script_summary("Check for the vulnerable file version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl", "secpod_office_products_version_900032.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+
+## MS11-074 Hotfix (2451858)
+
+if(hotfix_missing(name:"2451858") == 0){
+#  exit(0);
+}
+
+## Microsoft Groove 2007
+exeVer = get_kb_item("SMB/Office/Groove/Version");
+if(exeVer =~ "^12\..*")
+{
+  # Grep for GROOVE.EXE version 12.0 < 12.0.6552.5000
+  if(version_in_range(version:exeVer, test_version:"12.0", test_version2:"12.0.6552.4999"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+## Microsoft SharePoint Server 2007
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(registry_key_exists(key:key))
+{
+  foreach item (registry_enum_keys(key:key))
+  {
+    appName = registry_get_sz(item:"DisplayName", key:key + item);
+    if("Microsoft Office SharePoint Server 2007" >< appName)
+    {
+      dllPath =  registry_get_sz(item:"BinPath",
+                            key:"SOFTWARE\Microsoft\Office Server\12.0");
+      vers  = fetch_file_version(sysPath:dllPath, file_name:"Microsoft.sharepoint.publishing.dll");
+      if(vers)
+      {
+         ## Check for Microsoft.sharepoint.publishing.dl version < 12.0.6562.5000
+         if(version_is_less(version:vers, test_version:"12.0.6562.5000"))
+         {
+           security_hole(0);
+           exit(0);
+         }
+      }
+    }
+  }
+}
+
+## Microsoft Windows SharePoint Services
+if(registry_key_exists(key:key))
+{
+  foreach item (registry_enum_keys(key:key))
+  {
+    srvcName = registry_get_sz(item:"DisplayName", key:key + item);
+    if("Microsoft Windows SharePoint Services" >< srvcName)
+    {
+      dllPath =  registry_get_sz(item:"SharedFilesDir",
+                              key:"SOFTWARE\Microsoft\Shared Tools");
+
+    if(dllPath)
+    {
+      dllPath1 = dllPath + "web server extensions\12\BIN";
+      dllPath2 = dllPath + "web server extensions\60\BIN";
+      dllVer1  = fetch_file_version(sysPath:dllPath1, file_name:"Onetutil.dll");
+      dllVer2  = fetch_file_version(sysPath:dllPath2, file_name:"Onetutil.dll");
+
+      if(dllVer1 || dllVer2)
+      {
+        ## Check for onetutil.dll version < 12.0.6565.5001 for Sharepoint services 3.0
+        ## Check for onetutil.dll version < 11.0.8339.0 for Sharepoint services 2.0
+        if(version_in_range(version:dllVer2, test_version:"11.0", test_version2:"11.0.8339.0") ||
+           version_in_range(version:dllVer1, test_version:"12.0", test_version2:"12.0.6565.5000"))
+        {
+           security_hole(0);
+           exit(0);
+        }
+      }
+    }
+  }
+}
+}
+
+
+## Microsoft SharePoint Workspace 2010
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.GROOVER";
+if(!registry_key_exists(key:key)) {
+    exit(0);
+}
+
+worksName =  registry_get_sz(item:"DisplayName", key:key);
+if("Microsoft SharePoint Workspace 2010" >< worksName)
+{
+  worksPath = registry_get_sz(key:key,item:"InstallLocation");
+  worksPath += "Office14";
+  worksVer  = fetch_file_version(sysPath:worksPath, file_name:"GROOVE.exe");
+  if(worksVer && worksVer =~ "^14\..*")
+  {
+    ## Check for Groove.exe version < 14.0.6106.5000
+    if(version_is_less(version:worksVer, test_version:"14.0.6106.5000"))
+    {
+      security_hole(0);
+      exit(0);
+    }
+  }
+}



More information about the Openvas-commits mailing list