[Openvas-commits] r13328 - in trunk/openvas-plugins: . scripts

scm-commit at wald.intevation.org scm-commit at wald.intevation.org
Mon Apr 23 13:41:05 CEST 2012 

Author: mime
Date: 2012-04-23 13:41:05 +0200 (Mon, 23 Apr 2012)
New Revision: 13328

Added:
   trunk/openvas-plugins/scripts/gb_citrix_xenserver_vswitch_controller_52641.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gb_apache_38494.nasl
   trunk/openvas-plugins/scripts/secpod_apache_detect.nasl
Log:
Added new plugin. Updated to modern version detection. Set extra key in kb if report_paranoia > 1. Removed check for report paranoia. Its now handled by secpod_apache_detect.nasl. Added script_require_keys().

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2012-04-23 11:38:27 UTC (rev 13327)
+++ trunk/openvas-plugins/ChangeLog	2012-04-23 11:41:05 UTC (rev 13328)
@@ -1,3 +1,16 @@
+2012-04-23  Michael Meyer <michael.meyer at greenbone.net>
+
+	* vscripts/gb_citrix_xenserver_vswitch_controller_52641.nasl:
+	Added new plugin.
+
+	* scripts/secpod_apache_detect.nasl:
+	Updated to modern version detection. Set extra key in kb if
+	report_paranoia > 1.
+
+	* scripts/gb_apache_38494.nasl:
+	Removed check for report paranoia. It's now handled by
+	secpod_apache_detect.nasl. Added script_require_keys().
+
 2012-04-20  Antu Sanadi <santu at secpod.com>
 
 	* scripts/gb_lussumo_vanilla_detect.nasl,

Modified: trunk/openvas-plugins/scripts/gb_apache_38494.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apache_38494.nasl	2012-04-23 11:38:27 UTC (rev 13327)
+++ trunk/openvas-plugins/scripts/gb_apache_38494.nasl	2012-04-23 11:41:05 UTC (rev 13328)
@@ -64,15 +64,13 @@
  script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
  script_dependencies("secpod_apache_detect.nasl");
  script_require_ports("Services/www", 80);
+ script_require_keys('apache/installed'); # key is only present if report_paranoia is > 1
  exit(0);
 }
 
 include("http_func.inc");
 include("version_func.inc");
-include("global_settings.inc");
 
-if ( report_paranoia < 2 ) exit(0); # this nvt is prone to FP.
-
 httpdPort = get_http_port(default:80);
 if(!httpdPort){
   exit(0);

Added: trunk/openvas-plugins/scripts/gb_citrix_xenserver_vswitch_controller_52641.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_citrix_xenserver_vswitch_controller_52641.nasl	                        (rev 0)
+++ trunk/openvas-plugins/scripts/gb_citrix_xenserver_vswitch_controller_52641.nasl	2012-04-23 11:41:05 UTC (rev 13328)
@@ -0,0 +1,153 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Citrix XenServer vSwitch Controller Component Multiple Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103474);
+ script_bugtraq_id(52641);
+ script_version ("$Revision$");
+
+ script_name("Citrix XenServer vSwitch Controller Component Multiple Vulnerabilities");
+
+desc = "Overview:
+Citrix XenServer is prone to multiple unspecified vulnerabilities.
+
+The impact of these issues is currently unknown. We will update this
+BID when more information emerges.
+
+Citrix XenServer versions 5.6, 5.6 FP 1, 5.6 SP 2, and 6 are
+vulnerable.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/52641
+http://www.citrix.com/English/ps2/products/feature.asp?contentID=1686939
+http://support.citrix.com/article/CTX132476";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-04-23 11:36:51 +0200 (Mon, 23 Apr 2012)");
+ script_description(desc);
+ script_summary("Determine if CSRF tokens used");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 443);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:443);
+if(!get_port_state(port))exit(0);
+
+transport = get_port_transport(port);
+
+dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+
+  soc = open_sock_tcp(port, transport:transport);
+  if(!soc)exit(0);
+
+  url = dir + '/login';
+  req = http_get(item:url, port:port);
+
+  send(socket:soc, data: req);
+  buf = recv(socket:soc, length: 1024);
+
+  close(soc);
+
+  if("DVSC_MGMT_UI_SESSION" >!< buf && buf !~ "<title>.*DVS.*Controller") {
+    continue;
+  }  
+
+  soc = open_sock_tcp(port, transport:transport);
+  if(!soc)exit(0);
+
+  url = dir + '/static/';
+  req = http_get(item:url, port:port);
+
+  send(socket:soc, data: req);
+  buf = recv(socket:soc,length:2048);
+  close(soc);
+
+  if("Directory listing for /static" >!< buf) {
+    continue;
+  } 
+
+  lines = split(buf);
+  locs = make_list();
+
+  foreach line (lines) {
+
+    if(locs = eregmatch(pattern:'<a href="([0-9]+)/">', string:line)) {
+
+      loc[i++] = locs[1];
+
+    }  
+
+  }  
+
+  foreach l (loc) {
+
+    soc = open_sock_tcp(port, transport:transport);
+    if(!soc)exit(0);
+
+    url = '/static/' + l + '/nox/ext/apps/vmanui/main.js';
+    req = http_get(item:url, port:port);
+    send(socket:soc, data: req);
+
+    while(buf = recv(socket:soc,length:1024)) {
+      recv += buf;
+    }  
+
+    close(soc);
+
+    if('dojo.provide("nox.ext.apps.vmanui.main")' >< recv) {
+
+      if("X-CSRF-Token" >!< recv && "oCsrfToken" >!< recv) {
+        security_warning(port:port);
+        exit(0);
+      }  
+
+    }  
+    
+  }  
+
+}  
+
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_citrix_xenserver_vswitch_controller_52641.nasl
___________________________________________________________________
Added: svn:keywords
   + Id Revision Date

Modified: trunk/openvas-plugins/scripts/secpod_apache_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apache_detect.nasl	2012-04-23 11:38:27 UTC (rev 13327)
+++ trunk/openvas-plugins/scripts/secpod_apache_detect.nasl	2012-04-23 11:41:05 UTC (rev 13328)
@@ -24,9 +24,11 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 ###############################################################################
 
+SCRIPT_OID  = "1.3.6.1.4.1.25623.1.0.900498";
+
 if(description)
 {
-  script_id(900498);
+  script_oid(SCRIPT_OID);
   script_version("$Revision$");
   script_tag(name:"last_modification", value:"$Date$");
   script_tag(name:"creation_date", value:"2009-04-30 06:40:16 +0200 (Thu, 30 Apr 2009)");
@@ -50,9 +52,9 @@
 include("http_func.inc");
 include("cpe.inc");
 include("host_details.inc");
+include("global_settings.inc");
 
 ## Constant values
-SCRIPT_OID  = "1.3.6.1.4.1.25623.1.0.900498";
 SCRIPT_DESC = "Apache Web ServerVersion Detection";
 
 port = get_http_port(default:80);
@@ -67,14 +69,22 @@
 
 apacheVer = eregmatch(pattern:"Server: Apache/([0-9]\.[0-9]+\.[0-9][0-9]?)",
                       string:banner);
-if(apacheVer[1] != NULL){
+
+if(apacheVer[1] != NULL) {
   set_kb_item(name:"www/" + port + "/Apache", value:apacheVer[1]);
-  security_note(data:"Apache Web Server version " + apacheVer[1] +
-                                                 " was detected on the host");
+
+  if ( report_paranoia > 1 ) { # run depending nvts only if report_paranoia is > 1 to avoid false positives against backports
+    set_kb_item(name:'apache/installed', value:TRUE);
+  }  
    
   ## build cpe and store it as host_detail
   cpe = build_cpe(value:apacheVer[1], exp:"^([0-9.]+)", base:"cpe:/a:apache:http_server:");
   if(!isnull(cpe))
      register_host_detail(name:"App", value:cpe, nvt:SCRIPT_OID, desc:SCRIPT_DESC);
 
+  log_message(data:'Detected Apache version ' + apacheVer[1] + 
+                   '\nCPE: ' + cpe + 
+                   '\n\nConcluded from version identification result:\n' + banner
+                   );
+
 }

More information about the Openvas-commits mailing list