[Openvas-commits] r11722 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Sep 30 15:58:09 CEST 2011
Author: veerendragg
Date: 2011-09-30 15:58:03 +0200 (Fri, 30 Sep 2011)
New Revision: 11722
Added:
trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_fpd_vuln.nasl
trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_xss_vuln.nasl
trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_lin_sep11.nasl
trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_macosx_sep11.nasl
trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_win_sep11.nasl
trunk/openvas-plugins/scripts/secpod_apc_pcns_applet_xss_vuln.nasl
trunk/openvas-plugins/scripts/secpod_apc_pcns_http_response_splitting_vuln.nasl
trunk/openvas-plugins/scripts/secpod_dokuwiki_php_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_dolphin_php_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_dotproject_php_file_install_path_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_drupal_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_e107_mult_php_files_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_exo_php_desk_php_files_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_eyeos_php_files_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_feng_office_php_files_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_freeway_php_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_mantis_mult_lfi_n_xss_vuln.nasl
trunk/openvas-plugins/scripts/secpod_timelive_time_and_expense_tracking_mult_vuln.nasl
trunk/openvas-plugins/scripts/secpod_timelive_time_n_expense_tracking_detect.nasl
trunk/openvas-plugins/scripts/secpod_wordpress_php_files_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_wsn_software_dir_php_files_info_disc_vuln.nasl
trunk/openvas-plugins/scripts/secpod_xoops_php_files_info_disc_vuln.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/drupal_detect.nasl
Log:
Added new LSC plugins. Added new plugins. Updated to detect latest version.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/ChangeLog 2011-09-30 13:58:03 UTC (rev 11722)
@@ -1,3 +1,64 @@
+2011-09-30 Veerendra G.G <veerendragg at secpod.com>
+
+ * scripts/gb_fedora_2011_13465_mozvoikko_fc15.nasl,
+ scripts/gb_ubuntu_USN_1221_1.nasl,
+ scripts/gb_fedora_2011_13465_gnome-python2-extras_fc15.nasl,
+ scripts/gb_ubuntu_USN_1217_1.nasl,
+ scripts/gb_fedora_2011_13465_perl-Gtk2-MozEmbed_fc15.nasl,
+ scripts/gb_mandriva_MDVSA_2011_137.nasl,
+ scripts/gb_fedora_2011_13388_NetworkManager_fc15.nasl,
+ scripts/gb_fedora_2011_12918_phpMyAdmin_fc14.nasl,
+ scripts/gb_fedora_2011_12890_opensaml_fc15.nasl,
+ scripts/gb_CESA-2011_1341_firefox_centos5_i386.nasl,
+ scripts/gb_ubuntu_USN_1220_1.nasl,
+ scripts/gb_RHSA-2011_1343-01_thunderbird.nasl,
+ scripts/gb_fedora_2011_12193_qt_fc15.nasl,
+ scripts/gb_ubuntu_USN_1219_1.nasl,
+ scripts/gb_ubuntu_USN_1216_1.nasl,
+ scripts/gb_ubuntu_USN_1213_1.nasl,
+ scripts/gb_ubuntu_USN_1210_1.nasl,
+ scripts/gb_CESA-2011_1343_thunderbird_centos4_i386.nasl,
+ scripts/gb_fedora_2011_13465_firefox_fc15.nasl,
+ scripts/gb_ubuntu_USN_1222_1.nasl,
+ scripts/gb_RHSA-2011_1344-01_seamonkey.nasl,
+ scripts/gb_ubuntu_USN_1218_1.nasl,
+ scripts/gb_fedora_2011_12481_Django_fc14.nasl,
+ scripts/gb_fedora_2011_12928_phpMyAdmin_fc15.nasl,
+ scripts/gb_CESA-2011_1344_seamonkey_centos4_i386.nasl,
+ scripts/gb_mandriva_MDVSA_2011_136.nasl,
+ scripts/gb_CESA-2011_1343_thunderbird_centos5_i386.nasl,
+ scripts/gb_CESA-2011_1341_firefox_centos4_i386.nasl,
+ scripts/gb_RHSA-2011_1341-01_firefox.nasl,
+ scripts/gb_fedora_2011_13465_xulrunner_fc15.nasl:
+ Added new LSC plugins.
+
+ * scripts/secpod_adobe_flash_player_mult_vuln_win_sep11.nasl,
+ scripts/secpod_adobe_flash_player_mult_vuln_lin_sep11.nasl,
+ scripts/secpod_eyeos_php_files_info_disc_vuln.nasl,
+ scripts/secpod_freeway_php_info_disc_vuln.nasl,
+ scripts/secpod_mantis_mult_lfi_n_xss_vuln.nasl,
+ scripts/secpod_apc_pcns_applet_xss_vuln.nasl,
+ scripts/secpod_wsn_software_dir_php_files_info_disc_vuln.nasl,
+ scripts/secpod_wordpress_php_files_info_disc_vuln.nasl,
+ scripts/secpod_apc_pcns_http_response_splitting_vuln.nasl,
+ scripts/secpod_drupal_info_disc_vuln.nasl,
+ scripts/secpod_xoops_php_files_info_disc_vuln.nasl,
+ scripts/secpod_exo_php_desk_php_files_info_disc_vuln.nasl,
+ scripts/secpod_dokuwiki_php_info_disc_vuln.nasl,
+ scripts/secpod_feng_office_php_files_info_disc_vuln.nasl,
+ scripts/secpod_e107_mult_php_files_info_disc_vuln.nasl,
+ scripts/secpod_adobe_coldfusion_multiple_xss_vuln.nasl,
+ scripts/secpod_dotproject_php_file_install_path_disc_vuln.nasl,
+ scripts/secpod_adobe_flash_player_mult_vuln_macosx_sep11.nasl,
+ scripts/secpod_timelive_time_n_expense_tracking_detect.nasl,
+ scripts/secpod_timelive_time_and_expense_tracking_mult_vuln.nasl,
+ scripts/secpod_adobe_coldfusion_multiple_fpd_vuln.nasl,
+ scripts/secpod_dolphin_php_info_disc_vuln.nasl:
+ Added new plugins.
+
+ * scripts/drupal_detect.nasl:
+ Updated to detect latest version.
+
2011-09-29 Michael Wiegand <michael.wiegand at greenbone.net>
* scripts/gather-package-list.nasl, scripts/slad_fetch_results.nasl,
Modified: trunk/openvas-plugins/scripts/drupal_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/drupal_detect.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/drupal_detect.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -7,6 +7,9 @@
# Authors:
# Michael Meyer
#
+# Updated By : Sooraj KS <kssooraj at secpod.com> on 2011-09-27
+# - Updated to detect recent versions.
+#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH
#
@@ -80,8 +83,7 @@
if(egrep(pattern:"Location: .*update\.php\?op=info", string:buf, icase:TRUE)||
(egrep(pattern:"Access denied", string:buf, icase:TRUE) &&
- egrep(pattern:"drupal", string:buf, icase:TRUE) &&
- egrep(pattern:"\$access_check", string:buf, icase:TRUE)))
+ egrep(pattern:"drupal", string:buf, icase:TRUE)))
{
if(strlen(dir)>0){
install=dir;
@@ -107,7 +109,7 @@
tmp_version = string(vers," under ",install);
set_kb_item(name:string("www/", port, "/drupal"),
value:tmp_version);
-
+
## build cpe and store it as host_detail
cpe = build_cpe(value:tmp_version, exp:"^([0-9.]+)", base:"cpe:/a:drupal:drupal:");
if(!isnull(cpe))
Added: trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_fpd_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_fpd_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_fpd_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_adobe_coldfusion_multiple_fpd_vuln.nasl 17487 2011-09-30 14:14:14Z sep $
+#
+# Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902577);
+ script_version("$Revision: 1.0$");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities");
+ desc = "
+ Overview: The host is running Adobe ColdFusion and is prone to multiple full
+ path disclosure vulnerabilities.
+
+ Vulnerability Insight:
+ The flaw is caused due to insufficient error checking, allows remote
+ attackers to obtain sensitive information via a direct request to a
+ .cfm file, which reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to obtain sensitive information
+ that could aid in further attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Adobe ColdFusion version 9 and prior.
+
+ Fix: No solution or patch is available as on 30th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.adobe.com/products/coldfusion-family.html
+
+ References:
+ http://websecurity.com.ua/5243/
+ http://seclists.org/fulldisclosure/2011/Sep/285
+ http://packetstormsecurity.org/files/view/105344/coldfusion-xssdisclose.txt ";
+
+ script_description(desc);
+ script_summary("Determine if Adobe ColdFusion is vulnerable to Full Path Disclosure");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("gb_coldfusion_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Confirm ColdFusion
+if(! get_kb_item(string("coldfusion/", port, "/installed"))){
+ exit(0);
+}
+
+## Try Attack and check the response to confirm vulnerability
+if(http_vuln_check(port: port, url: "/CFIDE/probe.cfm", check_header: TRUE,
+ pattern:".*\\wwwroot\\CFIDE\\probe.cfm")) {
+ security_warning(port);
+}
Added: trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_xss_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_adobe_coldfusion_multiple_xss_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_adobe_coldfusion_multiple_xss_vuln.nasl 17487 2011-09-30 12:12:12Z sep $
+#
+# Adobe ColdFusion Multiple Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902576);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(49787);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Adobe ColdFusion Multiple Cross Site Scripting Vulnerabilities");
+ desc = "
+ Overview: The host is running Adobe ColdFusion and is prone to multiple cross
+ site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are caused by improper validation of user-supplied input
+ passed via the 'component' parameter in componentdetail.cfm, 'method'
+ parameter in cfcexplorer.cfc and header 'User-Agent' in cfcexplorer.cfc,
+ probe.cfm, Application.cfm, _component_cfcToHTML.cfm and
+ _component_cfcToMCDL.cfm, that allows attackers to execute arbitrary HTML
+ and script code on the web server.
+
+ Impact:
+ Successful exploitation will let the attacker to insert arbitrary HTML
+ and script code, which will be executed in a user's browser session in
+ the context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Adobe ColdFusion version 7
+
+ Fix: No solution or patch is available as on 30th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.adobe.com/products/coldfusion-family.html
+
+ References:
+ http://websecurity.com.ua/5243/
+ http://seclists.org/fulldisclosure/2011/Sep/285
+ http://packetstormsecurity.org/files/view/105344/coldfusion-xssdisclose.txt ";
+
+ script_description(desc);
+ script_summary("Determine if Adobe ColdFusion is vulnerable to Cross Site Scripting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("gb_coldfusion_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Confirm ColdFusion
+if(!get_kb_item(string("coldfusion/", port, "/installed"))){
+ exit(0);
+}
+
+## Construct Attack Request
+req = string("GET /CFIDE/probe.cfm HTTP/1.1\r\n",
+ "Host: ", get_host_name(), "\r\n",
+ "User-Agent: <script>alert(document.cookie)</script>\r\n\r\n");
+
+## Try XSS Attack
+res = http_send_recv(port:port, data:req);
+
+## Confirm Exploit Worked by Checking The Response.
+if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 .*", string:res) &&
+ ('><script>alert(document.cookie)</script>' >< res)) {
+ security_warning(port);
+}
Added: trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_lin_sep11.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_lin_sep11.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_lin_sep11.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_adobe_flash_player_mult_vuln_lin_sep11.nasl 17483 2011-09-28 13:12:12Z sep $
+#
+# Adobe Flash Player Multiple Vulnerabilities September-2011 (Linux)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902739);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-2426", "CVE-2011-2427", "CVE-2011-2428",
+ "CVE-2011-2429", "CVE-2011-2430", "CVE-2011-2444");
+ script_bugtraq_id(49714, 49715, 49716, 49718, 49717, 49710);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Adobe Flash Player Multiple Vulnerabilities September-2011 (Linux)");
+ desc = "
+ Overview: This host is installed with Adobe Flash Player and is prone to
+ multiple vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to,
+ - Stack-based buffer overflow in the ActionScript Virtual Machine (AVM)
+ component, allows remote attackers to execute arbitrary code via
+ unspecified vectors.
+ - security control bypass, allows attackers to bypass intended access
+ restrictions and obtain sensitive information via unspecified vectors
+ - logic error vulnerability, allows remote attackers to cause a denial of
+ service (browser crash) via unspecified vectors or execute arbitrary via
+ crafted streaming media.
+ - Cross-site scripting (XSS) vulnerability, allows remote attackers to
+ inject arbitrary web script or HTML via a crafted URL.
+
+ Impact:
+ Successful exploitation will let attackers to execute arbitrary code or cause
+ a denial of service.
+
+ Impact Level: iSystem/Application
+
+ Affected Software/OS:
+ Adobe Flash Player versions prior to 10.3.183.10 on Linux.
+
+ Fix: Upgrade to Adobe Flash Player version 10.3.183.10 or later.
+ For details refer, http://www.adobe.com/downloads/
+
+ References:
+ http://www.adobe.com/support/security/bulletins/apsb11-26.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Adobe Flash Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("General");
+ script_dependencies("gb_adobe_flash_player_detect_lin.nasl");
+ script_require_keys("AdobeFlashPlayer/Linux/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+flashVer = get_kb_item("AdobeFlashPlayer/Linux/Ver");
+if(!flashVer){
+ exit(0);
+}
+
+flashVer = ereg_replace(pattern:",", string:flashVer, replace: ".");
+
+## Check for Adobe Flash Player versions prior to 10.3.183.10
+if(version_is_less(version:flashVer, test_version:"10.3.183.10")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_macosx_sep11.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_macosx_sep11.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_macosx_sep11.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_adobe_flash_player_mult_vuln_macosx_sep11.nasl 17483 2011-09-28 13:12:12Z sep $
+#
+# Adobe Flash Player Multiple Vulnerabilities September-2011 (Mac OS X)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902740);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-2426", "CVE-2011-2427", "CVE-2011-2428",
+ "CVE-2011-2429", "CVE-2011-2430", "CVE-2011-2444");
+ script_bugtraq_id(49714, 49715, 49716, 49718, 49717, 49710);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Adobe Flash Player Multiple Vulnerabilities September-2011 (Mac OS X)");
+ desc = "
+ Overview: This host is installed with Adobe Flash Player and is prone to
+ multiple vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to,
+ - Stack-based buffer overflow in the ActionScript Virtual Machine (AVM)
+ component, allows remote attackers to execute arbitrary code via
+ unspecified vectors.
+ - logic error issue, allows attackers to execute arbitrary code or cause a
+ denial of service (browser crash) via unspecified vectors.
+ - security control bypass, allows attackers to bypass intended access
+ restrictions and obtain sensitive information via unspecified vectors
+ - logic error vulnerability, allows remote attackers to execute arbitrary
+ code via crafted streaming media
+ - Cross-site scripting (XSS) vulnerability, allows remote attackers to
+ inject arbitrary web script or HTML via a crafted URL.
+
+ Impact:
+ Successful exploitation will let attackers to execute arbitrary code or cause
+ a denial of service.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Adobe Flash Player versions prior to 10.3.183.10 on Mac OS X.
+
+ Fix: Upgrade to Adobe Flash Player version 10.3.183.10 or later.
+ For details refer, http://www.adobe.com/downloads/
+
+ References:
+ http://www.adobe.com/support/security/bulletins/apsb11-26.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Adobe Flash Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("General");
+ script_dependencies("secpod_adobe_prdts_detect_macosx.nasl");
+ script_require_keys("Adobe/Flash/Player/MacOSX/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+flashVer = get_kb_item("Adobe/Flash/Player/MacOSX/Version");
+if(!flashVer){
+ exit(0);
+}
+
+## Check for Adobe Flash Player versions prior to 10.3.183.10
+if(version_is_less(version:flashVer, test_version:"10.3.183.10")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_win_sep11.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_win_sep11.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_adobe_flash_player_mult_vuln_win_sep11.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_adobe_flash_player_mult_vuln_win_sep11.nasl 17483 2011-09-28 13:12:12Z sep $
+#
+# Adobe Flash Player Multiple Vulnerabilities September-2011 (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902738);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-2426", "CVE-2011-2427", "CVE-2011-2428",
+ "CVE-2011-2429", "CVE-2011-2430", "CVE-2011-2444");
+ script_bugtraq_id(49714, 49715, 49716, 49718, 49717, 49710);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_name("Adobe Flash Player Multiple Vulnerabilities September-2011 (Windows)");
+ desc = "
+ Overview: This host is installed with Adobe Flash Player and is prone to
+ multiple vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to,
+ - Stack-based buffer overflow in the ActionScript Virtual Machine (AVM)
+ component, allows remote attackers to execute arbitrary code via
+ unspecified vectors.
+ - logic error issue, allows attackers to execute arbitrary code or cause a
+ denial of service (browser crash) via unspecified vectors.
+ - security control bypass, allows attackers to bypass intended access
+ restrictions and obtain sensitive information via unspecified vectors
+ - logic error vulnerability, allows remote attackers to execute arbitrary
+ code via crafted streaming media.
+ - Cross-site scripting (XSS) vulnerability, allows remote attackers to
+ inject arbitrary web script or HTML via a crafted URL.
+
+ Impact:
+ Successful exploitation will let attackers to execute arbitrary code or cause
+ a denial of service.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Adobe Flash Player versions prior to 10.3.183.10 on Windows.
+
+ Fix: Upgrade to Adobe Flash Player version 10.3.183.10 or later.
+ For details refer, http://www.adobe.com/downloads/
+
+ References:
+ http://www.adobe.com/support/security/bulletins/apsb11-26.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Adobe Flash Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("General");
+ script_dependencies("gb_adobe_flash_player_detect_win.nasl");
+ script_require_keys("AdobeFlashPlayer/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+flashVer = get_kb_item("AdobeFlashPlayer/Win/Ver");
+if(!flashVer){
+ exit(0);
+}
+
+## Check for Adobe Flash Player versions prior to 10.3.183.10
+if(version_is_less(version:flashVer, test_version:"10.3.183.10")){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_apc_pcns_applet_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apc_pcns_applet_xss_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_apc_pcns_applet_xss_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_apc_pcns_applet_xss_vuln.nasl 17489 2011-09-30 14:14:14Z sep $
+#
+# APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902578);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(33924);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability");
+ desc = "
+ Overview: The host is running APC PowerChute Network Shutdown and is prone
+ to cross site scripting vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused by improper validation of user-supplied input passed
+ via the 'referrer' parameter in 'security/applet', which allows attackers
+ to execute arbitrary HTML and script code on the web server.
+
+ Impact:
+ Successful exploitation will let the attacker to insert arbitrary HTML
+ and script code, which will be executed in a user's browser session in
+ the context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ APC PowerChute Business Edition Shutdown 6.0.0, 7.0.1 and 7.0.2.
+
+ Fix: No solution or patch is available as on 30th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.apc.com/products/family/index.cfm?id=127
+
+ References:
+ http://secunia.com/advisories/34066
+ http://xforce.iss.net/xforce/xfdb/48973
+ http://www.securityfocus.com/archive/1/501255
+ http://www.dsecrg.com/pages/vul/show.php?id=82
+ http://nam-en.apc.com/app/answers/detail/a_id/9539 ";
+
+ script_description(desc);
+ script_summary("Determine if APC PowerChute Network Shutdown is vulnerable to Cross Site Scripting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 3052);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:3052);
+if(!port){
+ exit(0);
+}
+
+## Send and Receive the response
+req = http_get(item:"/security/loginform", port:port);
+res = http_send_recv(port:port, data:req);
+
+## Confirm the application
+if("PowerChute Business Edition" >< res)
+{
+ ## Construct attack request
+ url = '/security/applet?referrer="><script>alert(document.cookie)</script>';
+
+ ## Try XSS Attack and check the response to confirm vulnerability
+ if(http_vuln_check(port: port, url: url, check_header: TRUE,
+ pattern:"><script>alert\(document.cookie\)</script>")) {
+ security_warning(port);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_apc_pcns_http_response_splitting_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apc_pcns_http_response_splitting_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_apc_pcns_http_response_splitting_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,101 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_apc_pcns_http_response_splitting_vuln.nasl 17489 2011-09-29 15:15:15Z sep $
+#
+# APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902579);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(33924);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability");
+ desc = "
+ Overview: The host is running APC PowerChute Network Shutdown and is prone
+ to HTTP response splitting vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused by improper validation of user-supplied input passed via
+ the 'page' parameter in 'contexthelp', which allows attackers to perform
+ unspecified actions by tricking a user into visiting a malicious web site.
+
+ Impact:
+ Successful exploitation will let the attacker to perform unspecified actions
+ by tricking a user into visiting a malicious web site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ APC PowerChute Business Edition Shutdown 6.0.0, 7.0.1 and 7.0.2
+
+ Fix: No solution or patch is available as on 30th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.apc.com/products/family/index.cfm?id=127
+
+ References:
+ http://secunia.com/advisories/34066
+ http://xforce.iss.net/xforce/xfdb/48975
+ http://www.securityfocus.com/archive/1/501255
+ http://www.dsecrg.com/pages/vul/show.php?id=82
+ http://nam-en.apc.com/app/answers/detail/a_id/9539 ";
+
+ script_description(desc);
+ script_summary("Determine if APC PowerChute Network Shutdown is vulnerable to HTTP Response Splitting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 3052);
+ exit(0);
+}
+
+
+include("http_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:3052);
+if(!port){
+ exit(0);
+}
+
+## Send and Receive the response
+req = http_get(item:"/security/loginform", port:port);
+res = http_send_recv(port:port, data:req);
+
+## Confirm the application
+if("PowerChute Business Edition" >< res)
+{
+ ## Construct attack request
+ req = http_get(item:'/contexthelp?page=Foobar?%0d%0aOPENVAS_HEADER:testvalue',
+ port:port);
+ ## Send Attack
+ res = http_send_recv(port:port, data:req);
+
+ ## Confirm Exploit Worked by Checking The Response
+ if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 302 .*", string:res) &&
+ ('Location: help/english//Foobar?' >< res) &&
+ ('OPENVAS_HEADER:testvalue' >< res)){
+ security_warning(port);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_dokuwiki_php_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_dokuwiki_php_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_dokuwiki_php_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_dokuwiki_php_info_disc_vuln.nasl 17463 2011-09-26 16:05:33Z sep $
+#
+# DokuWiki '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902734);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3727");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("DokuWiki '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running DokuWiki and is prone to information disclosure
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ DokuWiki version 2009-12-25c.
+
+ Fix: No solution or patch is available as on 26th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.splitbrain.org/projects/dokuwiki
+
+ References:
+ http://www.security-database.com/detail.php?alert=CVE-2011-3727
+ https://www.infosecisland.com/alertsview/16752-CVE-2011-3727-dokuwiki.html
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/dokuwiki-2009-12-25c ";
+
+ script_description(desc);
+ script_summary("Check DokuWiki is prone to path disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("gb_dokuwiki_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+dwPort = get_http_port(default:80);
+if(!dwPort){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:dwPort)) {
+ exit(0);
+}
+
+## Get the version from KB
+dwDir = get_dir_from_kb(port:dwPort, app:"DokuWiki");
+if(!dwDir){
+ exit(0);
+}
+
+## Construct the Attack Request
+url = dwDir + "/lib/tpl/index.php";
+
+## Try attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:dwPort, url:url, pattern:"<b>Warning</b>: define\(\)" +
+ " expects at least 2 parameters.*lib/tpl/index.php")){
+ security_warning(dwPort);
+}
Added: trunk/openvas-plugins/scripts/secpod_dolphin_php_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_dolphin_php_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_dolphin_php_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_dolphin_php_info_disc_vuln.nasl 17464 2011-09-27 10:05:33Z sep $
+#
+# Dolphin '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902735);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3728");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Dolphin '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running Dolphin and is prone to information disclosure
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Dolphin version 7.0.4
+
+ Fix: No solution or patch is available as on 27th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.boonex.com/dolphin
+
+ References:
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/Dolphin-7.0.4 ";
+
+ script_description(desc);
+ script_summary("Check Dolphin is prone to path disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+dolPort = get_http_port(default:80);
+if(!dolPort){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:dolPort)){
+ exit(0);
+}
+
+foreach path (make_list("/dolphin", "", cgi_dirs()))
+{
+ ## Check for the possible paths
+ sndReq = http_get(item:string(path, "/index.php"), port:dolPort);
+ rcvRes = http_send_recv(port:dolPort, data:sndReq);
+
+ ## Confirm application
+ if("<title>dolphin</title>" >< rcvRes)
+ {
+ ## Construct the exploit request
+ url = path + "/xmlrpc/BxDolXMLRPCProfileView.php";
+
+ ## Try attack and check the installation path in response.
+ if(http_vuln_check(port:dolPort, url:url, pattern:"<b>Fatal error</b>: " +
+ "require_once\(\) \[<a href='function.require'>function.require</a>\]:"+
+ " Failed opening required.*xmlrpc/BxDolXMLRPCProfileView.php")){
+ security_warning(dolPort);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_dotproject_php_file_install_path_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_dotproject_php_file_install_path_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_dotproject_php_file_install_path_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_dotproject_php_file_install_path_disc_vuln.nasl 17465 2011-09-26 13:05:33Z sep $
+#
+# dotProject '.php' Files Installation Path Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902733);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3729");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("dotProject '.php' Files Installation Path Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running dotProject and is prone to path disclosure
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ dotProject version 2.1.4
+
+ Fix: No solution or patch is available as on 26th September, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.dotproject.net
+
+ References:
+ https://www.infosecisland.com/alertsview/16750-CVE-2011-3729-dotproject.html
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/dotproject-2.1.4
+ http://securityswebblog.blogspot.com/2011/09/vulnerability-summary-for-cve-2011-3729.html ";
+
+ script_description(desc);
+ script_summary("Check dotProject is prone to path disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("gb_dotproject_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+dpPort = get_http_port(default:80);
+if(!dpPort){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:dpPort)) {
+ exit(0);
+}
+
+## Get the version from KB
+dotDir = get_dir_from_kb(port:dpPort,app:"dotProject");
+if(!dotDir){
+ exit(0);
+}
+
+## Construct the Attack Request
+url = dotDir + "/fileviewer.php";
+
+## Try attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:dpPort, url:url, pattern:"<b>Fatal error</b>: Call" +
+ " to undefined method.*fileviewer.php")){
+ security_warning(port:dpPort);
+}
Added: trunk/openvas-plugins/scripts/secpod_drupal_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_drupal_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_drupal_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,98 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_drupal_info_disc_vuln.nasl 17466 2011-09-27 12:12:12Z sep $
+#
+# Drupal Information Disclosure Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902574);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3730");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Drupal Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running Drupal and is prone to information disclosure
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to insufficient error checking, allows remote
+ attackers to obtain sensitive information via a direct request to a .php
+ file, which reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to obtain sensitive information
+ that could aid in further attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Drupal Version 7.0
+
+ Fix: No solution or patch is available as on 27th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://drupal.org/
+
+ References:
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/!_README
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/drupal-7.0 ";
+
+ script_description(desc);
+ script_summary("Determine if Drupal is vulnerable to Information Disclosure");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("drupal_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+if(dir = get_dir_from_kb(port:port,app:"drupal"))
+{
+ ## Construct attack request
+ url = dir + "/modules/simpletest/tests/upgrade/drupal-6.upload.database.php";
+
+ ## Try Attack and check the response to confirm vulnerability
+ if(http_vuln_check(port:port, url:url, check_header: TRUE,
+ pattern:"<b>Fatal error</b>: Call to undefined function db_insert\(\)" +
+ " in .*drupal-6.upload.database.php")) {
+ security_warning(port);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_e107_mult_php_files_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_e107_mult_php_files_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_e107_mult_php_files_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_e107_mult_php_files_info_disc_vuln.nasl 17467 2011-09-27 13:13:13Z sep $
+#
+# e107 Multiple PHP Files Information Disclosure Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902575);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3731");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("e107 Multiple PHP Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running e107 and is prone to information disclosure
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to insufficient error checking, allows remote
+ attackers to obtain sensitive information via a direct request to a
+ '.php' file, which reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to obtain sensitive information
+ that could aid in further attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ e107 version 0.7.24
+
+ Fix: No solution or patch is available as on 27th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://e107.org/edownload.php
+
+ References:
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/!_README
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/e107_0.7.24 ";
+
+ script_description(desc);
+ script_summary("Determine if e107 is vulnerable to Information Disclosure");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("e107_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+if(dir = get_dir_from_kb(port:port,app:"e107"))
+{
+ ## Construct attack request
+ url = dir + "/e107_plugins/pdf/e107pdf.php";
+
+ ## Try Attack and check the response to confirm vulnerability
+ if(http_vuln_check(port:port, url:url, check_header: TRUE,
+ pattern:"<b>Fatal error</b>: Class 'UFPDF' not found in .*e107pdf.php")){
+ security_warning(port);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_exo_php_desk_php_files_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_exo_php_desk_php_files_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_exo_php_desk_php_files_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,103 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_exo_php_desk_php_files_info_disc_vuln.nasl 17469 2011-09-27 13:35:33Z sep $
+#
+# ExoPHPDesk '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902736);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3736");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("ExoPHPDesk '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running ExoPHPDesk and is prone to information
+ disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ ExoPHPDesk version 1.2.1
+
+ Fix: No solution or patch is available as on 27th September, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://exoscripts.com/exohelpdesk
+
+ References:
+ https://www.infosecisland.com/alertsview/16767-CVE-2011-3736-exophpdesk.html
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ExoPHPDesk_1.2.1
+ http://securityswebblog.blogspot.com/2011/09/vulnerability-summary-for-cve-2011-3736_26.html ";
+
+ script_description(desc);
+ script_summary("Check ExoPHPDesk is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+foreach dir (make_list("/ExoPHPDesk", "/", cgi_dirs()))
+{
+ sndReq = http_get(item:string(dir, "/index.php"), port:port);
+ rcvRes = http_send_recv(port:port, data:sndReq);
+
+ ## Conform the application
+ if("<title>EXO PHPDesk<" >< rcvRes || ">Powered by ExoPHPDesk" >< rcvRes)
+ {
+ ## Construct the Attack Request
+ url = dir + "/upgrades/upgrade9.php";
+
+ ## Try attack and check the installation path in response.
+ if(http_vuln_check(port:port, url:url, pattern:"<b>Fatal error</b>: " +
+ "Call to a member function query().*upgrades/upgrade9.php"))
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_eyeos_php_files_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_eyeos_php_files_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_eyeos_php_files_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_eyeos_php_files_info_disc_vuln.nasl 17469 2011-09-29 17:45:33Z sep $
+#
+# eyeOS '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902744);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3737");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("eyeOS '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running eyeOS and is prone to information disclosure
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ eyeOS version 2.2.0.0
+
+ Fix: No solution or patch is available as on 29th September, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.eyeos.org/
+
+ References:
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/eyeOS-2.2.0.0
+ http://securityswebblog.blogspot.com/2011/09/vulnerability-summary-for-cve-2011-3737.html ";
+
+ script_description(desc);
+ script_summary("Check eyeOS is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+foreach dir (make_list("/eyeos", "", cgi_dirs()))
+{
+ sndReq = http_get(item:string(dir, "/index.php"), port:port);
+ rcvRes = http_send_recv(port:port, data:sndReq);
+
+ ## Conform the application
+ if("<title>Welcome to eyeos" >< rcvRes)
+ {
+ ## Construct the Attack Request
+ url = dir + "/eyeos/apps/rmail/webmail/program/lib/Net/SMTP.php";
+
+ ## Try attack and check the installation path in response.
+ if(http_vuln_check(port:port, url:url, pattern:"<b>Fatal error</b>: " +
+ "require_once() \[<a href='function.require'>function." +
+ "require</a>\]: Failed opening required 'PEAR.php'.*" +
+ "apps/rmail/webmail/program/lib/Net/SMTP.php"));
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_feng_office_php_files_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_feng_office_php_files_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_feng_office_php_files_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_feng_office_php_files_info_disc_vuln.nasl 17469 2011-09-29 17:55:33Z sep $
+#
+# Feng Office '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902745);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3738");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Feng Office '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running Feng Office and is prone to information
+ disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Feng Office version 1.7.2
+
+ Fix: No solution or patch is available as on 29th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.fengoffice.com/web/
+
+ References:
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/fengoffice_1.7.2
+ http://securityswebblog.blogspot.com/2011/09/vulnerability-summary-for-cve-2011-3738_26.html ";
+
+ script_description(desc);
+ script_summary("Check Feng Office is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+foreach dir (make_list("/fengoffice", "", cgi_dirs()))
+{
+ sndReq = http_get(item:string(dir, "/public/tools/index.php"), port:port);
+ rcvRes = http_send_recv(port:port, data:sndReq);
+ ## Conform the application
+ if(">Feng Office tools<" >< rcvRes || ">Translate Feng Office<" >< rcvRes)
+ {
+ ## Construct the Attack Request
+ url = dir + "/public/upgrade/templates/layout.php";
+
+ ## Try attack and check the installation path in response.
+ if(http_vuln_check(port:port, url:url, pattern:"<b>Fatal error</b>: Call" +
+ " to undefined function clean() in.*public/upgrade/" +
+ "templates/layout.php"));
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_freeway_php_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_freeway_php_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_freeway_php_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,103 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_freeway_php_info_disc_vuln.nasl 17469 2011-09-27 13:35:33Z sep $
+#
+# Freeway '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902737);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3739");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("Freeway '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running Freeway and is prone to information
+ disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Freeway version 1.5 Alpha.
+
+ Fix: No solution or patch is available as on 27th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.openfreeway.org
+
+ References:
+ http://www.security-database.com/detail.php?alert=CVE-2011-3739
+ http://yehg.net/lab/pr0js/advisories/path_disclosure/freeway_1_5_alpha_Burstow
+ http://securityswebblog.blogspot.com/2011/09/vulnerability-summary-for-cve-2011-3739_26.html ";
+
+ script_description(desc);
+ script_summary("Check Freeway is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+foreach dir (make_list("/freeway", "", cgi_dirs()))
+{
+ sndReq = http_get(item:string(dir, "/admin/login.php"), port:port);
+ rcvRes = http_send_recv(port:port, data:sndReq);
+
+ ## Conform the application
+ if("<title>Freeway</title>" >< rcvRes)
+ {
+ ## Construct the Attack Request
+ url = dir + "/templates/Freeway/boxes/last_product.php";
+
+ ## Try attack and check the installation path in response.
+ if(http_vuln_check(port:port, url:url, pattern:"<b>Parse error</b>: " +
+ "syntax error, unexpected .*templates/Freeway/boxes/last_product.php"))
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_mantis_mult_lfi_n_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_mantis_mult_lfi_n_xss_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_mantis_mult_lfi_n_xss_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,102 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_mantis_mult_lfi_n_xss_vuln.nasl 17341 2011-09-30 12:12:12 sep $
+#
+# MantisBT Multiple Local File Include and Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902573);
+ script_version("$Revision: 1.0$");
+ script_bugtraq_id(49448);
+ script_cve_id("CVE-2011-3356", "CVE-2011-3357", "CVE-2011-3358", "CVE-2011-3578");
+ script_tag(name:"cvss_base", value:"6.8");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("MantisBT Multiple Local File Include and Cross Site Scripting Vulnerabilities");
+ desc = "
+ Overview: This host is running MantisBT and is prone to multiple local file
+ include and cross-site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ - Input appended to the URL after manage_config_email_page.php,
+ manage_config_workflow_page.php and bugs/plugin.php is not properly
+ sanitised before being returned to the user.
+ - Input passed to the 'action' parameter in bug_actiongroup_ext_page.php
+ and bug_actiongroup_page.php is not properly verified before being used
+ to include files.
+ - Input passed to the 'os', 'os_build', and 'platform' parameters in
+ bug_report_page.php and bug_update_advanced_page.php is not properly
+ sanitised before being returned to the user.
+
+ Impact:
+ Successful exploitation will allow attackers to conduct cross-site scripting
+ attacks and disclose potentially sensitive information.
+
+ Impact Level: Application
+
+ Affected Software:
+ MantisBT versions prior to 1.2.8
+
+ Fix: Upgrade to MantisBT version 1.2.8 or later.
+ For updates refer, http://www.mantisbt.org/download.php
+
+ References:
+ http://secunia.com/advisories/45829/
+ http://www.mantisbt.org/bugs/view.php?id=13191
+ http://www.mantisbt.org/bugs/view.php?id=13281
+ https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of MantisBT");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_dependencies("mantis_detect.nasl");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get HTTP Port
+mantisPort = get_http_port(default:80);
+if(!get_port_state(mantisPort)){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:mantisPort)){
+ exit(0);
+}
+
+## GET the version from KB
+mantisVer = get_version_from_kb(port:mantisPort,app:"mantis");
+if(mantisVer)
+{
+ ## Check for the MantisBT versions prior to 1.2.8
+ if(version_is_less(version:mantisVer, test_version:"1.2.8")){
+ security_hole(mantisPort);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_timelive_time_and_expense_tracking_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_timelive_time_and_expense_tracking_mult_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_timelive_time_and_expense_tracking_mult_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,94 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_timelive_time_and_expense_tracking_mult_vuln.nasl 17531 2011-09-29 16:50:01Z sep $
+#
+# TimeLive Time and Expense Tracking Multiple Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902481);
+ script_version("$Revision: 1.0$");
+ script_tag(name:"cvss_base", value:"6.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("TimeLive Time and Expense Tracking Multiple Vulnerabilities");
+ desc = "
+ Overview: The host is running TimeLive Time and Expense Tracking and is prone
+ to multiple vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are caused due to an error in 'FileDownload.aspx', when
+ processing the 'FileName' parameter.
+
+ Impact:
+ Successful exploitation will let the attacker to download the complete
+ database of users information including email addresses, usernames and
+ passwords and associated timesheet and expense data.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ TimeLive Time and Expense Tracking version 4.2.1 and prior.
+
+ Fix: No solution/patch is available as on 29th September, 2011. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://www.livetecs.com
+
+ References:
+ http://www.exploit-db.com/exploits/17900/
+ http://packetstormsecurity.org/files/view/105363/timelivetet-traversaldisclose.txt
+ http://securityswebblog.blogspot.com/2011/09/timelive-time-and-expense-tracking-411.html ";
+
+ script_description(desc);
+ script_summary("Check for the Information disclosure vulnerability in TimeLive");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("General");
+ script_dependencies("secpod_timelive_time_n_expense_tracking_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Get Tembria Server Monitor Port
+tlPort = get_http_port(default:80);
+if(!tlPort){
+ exit(0);
+}
+
+## Get the installed path
+if(!dir = get_dir_from_kb(port:tlPort, app:"TimeLive")){
+ exit(0);
+}
+
+## Construct the attack string
+sndReq = http_get(item:string(dir, "/Shared/FileDownload.aspx?FileName" +
+ "=..\web.config"), port:tlPort);
+rcvRes = http_send_recv(port:tlPort, data:sndReq);
+
+## Confirm the exploit
+if('All Events' >< rcvRes && 'Logging Application Block' >< rcvRes){
+ security_hole(tlPort);
+}
Added: trunk/openvas-plugins/scripts/secpod_timelive_time_n_expense_tracking_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_timelive_time_n_expense_tracking_detect.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_timelive_time_n_expense_tracking_detect.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,86 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_timelive_time_n_expense_tracking_detect.nasl 17531 2011-09-29 16:04:29Z sep $
+#
+# TimeLive Time And Expense Tracking Version Detection
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+
+if(description)
+{
+ script_id(902480);
+ script_version("$Revision: 1.0$");
+ script_tag(name:"risk_factor", value:"None");
+ script_name("TimeLive Time And Expense Tracking Version Detection");
+ desc = "
+ Overview: This script detects the running version of TimeLive Time and
+ Expense Tracking and sets the result in KB ";
+
+ script_description(desc);
+ script_summary("Set KB for the Version of TimeLive Time And Expense Tracking");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Service detection");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("cpe.inc");
+include("http_func.inc");
+include("host_details.inc");
+
+
+## Get the default port
+tlPort = get_http_port(default:80);
+if(!tlPort){
+ tlPort = 80;
+}
+
+##Check the port status
+if(!get_port_state(tlPort)){
+ exit(0);
+}
+
+## make the list of possible paths
+foreach dir (make_list("/TimeLive/", "/TimeTracking/", "/", cgi_dirs()))
+{
+ sndReq = http_get(item:string(dir, "default.aspx"), port:tlPort);
+ rcvRes = http_send_recv(port:tlPort, data:sndReq);
+
+ ## Cinfirm the application
+ if("TimeLive - Online web timesheet and time tracking solution" >< rcvRes &&
+ "Livetecs LLC" >< rcvRes)
+ {
+ ## Match the version
+ tlVer = eregmatch(pattern:">v ([0-9.]+)", string:rcvRes);
+ if(tlVer[1] != NULL)
+ {
+ tmp_version = tlVer[1] + " under " + dir;
+
+ ## Set the version in KB
+ set_kb_item(name:"www/"+ tlPort + "/TimeLive", value:tmp_version);
+ security_note(data:"TimeLive Time version " + tlVer[1] + " running at " +
+ "location " + dir + " was detected on the host");
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_wordpress_php_files_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_wordpress_php_files_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_wordpress_php_files_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_wordpress_php_files_info_disc_vuln.nasl 2011-09-26 13:05:33Z sep $
+#
+# WordPress '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902741);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3818");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("WordPress '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running WordPress and is prone to information
+ disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ WordPress version 2.9.2 and 3.0.4
+
+ Fix: No solution or patch is available as on 29th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://wordpress.org/download/
+
+ References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=741301
+ https://www.infosecisland.com/alertsview/16806-CVE-2011-3818-wordpress.html
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/wordpress_2.9.2 ";
+
+ script_description(desc);
+ script_summary("Check WordPress is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("secpod_wordpress_detect_900182.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+## Get the version from KB
+dir = get_dir_from_kb(port:port,app:"WordPress");
+if(!dir){
+ exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/wp-admin/includes/user.php";
+
+## Try attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:port, url:url, pattern:"<b>Fatal error</b>: Call" +
+ " to undefined function add_action().*/wp-admin/" +
+ "includes/user.php")){
+ security_warning(port:port);
+}
Added: trunk/openvas-plugins/scripts/secpod_wsn_software_dir_php_files_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_wsn_software_dir_php_files_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_wsn_software_dir_php_files_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_wsn_software_dir_php_files_info_disc_vuln.nasl 17481 2011-09-29 17:05:33Z sep $
+#
+# WSN Software Directory '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902743);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3820");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("WSN Software Directory '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running WSN Software Directory and is prone to
+ information disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ WSN Software Directory version 6.0.6
+
+ Fix: No solution or patch is available as on 29th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.wsnsoftwaredirectory.com/
+
+ References:
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/WSN_Software_6.0.6
+ http://itsecuritysolutions.org/2010-11-21_WSN_Software_6.0.6_multiple_vulnerabilities/ ";
+
+ script_description(desc);
+ script_summary("Check WSN Software Directory is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+foreach dir (make_list("/wsnsd", "/", cgi_dirs()))
+{
+ sndReq = http_get(item:string(dir, "/index.php"), port:port);
+ rcvRes = http_send_recv(port:port, data:sndReq);
+
+ ## Conform the application
+ if("<title>Software Directory </title>" >< rcvRes)
+ {
+ ## Construct the Attack Request
+ url = dir + "/includes/prestart.php";
+
+ ## Try attack and check the installation path in response.
+ if(http_vuln_check(port:port, url:url, pattern:"<b>Fatal error</b>: " +
+ "require_once() \[<a href='function.require'>function." +
+ "require</a>\]: Failed opening required 'scriptinfo.php'.*" +
+ "includes/prestart.php"));
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_xoops_php_files_info_disc_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_xoops_php_files_info_disc_vuln.nasl 2011-09-29 16:50:14 UTC (rev 11721)
+++ trunk/openvas-plugins/scripts/secpod_xoops_php_files_info_disc_vuln.nasl 2011-09-30 13:58:03 UTC (rev 11722)
@@ -0,0 +1,98 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_xoops_php_files_info_disc_vuln.nasl 17481 2011-09-29 15:05:33Z sep $
+#
+# XOOPS '.php' Files Information Disclosure Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902742);
+ script_version("$Revision: 1.0$");
+ script_cve_id("CVE-2011-3822");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("XOOPS '.php' Files Information Disclosure Vulnerability");
+ desc = "
+ Overview: The host is running XOOPS and is prone to information
+ disclosure vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in certain '.php' files. A direct request
+ to these files reveals the installation path in an error message.
+
+ Impact:
+ Successful exploitation will let the attacker to gain sensitive information.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ XOOPS version 2.5.0
+
+ Fix: No solution or patch is available as on 29th September 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.xoops.org/
+
+ References:
+ https://www.infosecisland.com/alertsview/16802-CVE-2011-3822-xoops.html
+ http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/xoops-2.5.0 ";
+
+ script_description(desc);
+ script_summary("Check XOOPS is prone to information disclosure vulnerability");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("secpod_xoops_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+## Get the version from KB
+dir = get_dir_from_kb(port:port,app:"XOOPS");
+if(!dir){
+ exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/modules/system/xoops_version.php";
+
+## Try attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:port, url:url, pattern:"<b>Fatal error</b>: Class " +
+ "'XoopsLists' not found in.*modules/system/xoops_version.php")){
+ security_warning(port:port);
+}
More information about the Openvas-commits
mailing list