[Openvas-commits] r12430 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Jan 6 14:28:08 CET 2012


Author: antu123
Date: 2012-01-06 14:28:01 +0100 (Fri, 06 Jan 2012)
New Revision: 12430

Added:
   trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl
   trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl
   trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl
   trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/GlassFish_detect.nasl
   trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl
Log:
Added new plugins, Updated CVE and CVSS

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/ChangeLog	2012-01-06 13:28:01 UTC (rev 12430)
@@ -1,3 +1,22 @@
+2012-01-06  Antu Sanadi <santu at secpod.com>
+
+	* scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl,
+	scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl,
+	scripts/gb_glassfish_hash_collision_dos_vuln.nasl,
+	scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl,
+	scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl,
+	scripts/gb_phpb2b_q_param_xss_vuln.nasl,
+	scripts/gb_sqlitemanager_mult_xss_vuln.nasl,
+	scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl,
+	scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl:
+	Added new plugins.
+
+	* scripts/GlassFish_detect.nasl:
+	Updated to detect recent versions.
+
+	* scripts/gb_cocsoft_stream_down_bof_vuln.nasl:
+	Updated CVE and CVSS.
+
 2012-01-06  Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/gb_ImpressPages_49798.nasl:

Modified: trunk/openvas-plugins/scripts/GlassFish_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/GlassFish_detect.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/GlassFish_detect.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -9,6 +9,7 @@
 #
 # Updated by: Antu Sanadi <santu at secpod.com> on 2010-01-31
 # Updated to detect recent versions (3.x)
+# Updated to to read the data from index.html, on 2012-01-06
 #
 # Copyright:
 # Copyright (c) 2009 Greenbone Networks GmbH
@@ -45,7 +46,7 @@
  script_tag(name:"creation_date", value:"2009-05-10 17:01:14 +0200 (Sun, 10 May 2009)");
  script_tag(name:"risk_factor", value:"None");
 
- script_name("GlassFish Server Detection");  
+ script_name("GlassFish Server Detection"); 
 
  script_description(desc);
  script_summary("Checks for the presence of GlassFish Server");
@@ -72,14 +73,15 @@
 
 if(!get_port_state(port))exit(0);
 
- url = string("/");
+ url = string("/index.html");
  req = http_get(item:url, port:port);
  buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
- 
+
  if( buf == NULL )continue;
- if( egrep(pattern: 'Server:.*GlassFish.*', string: buf, icase: TRUE) )
- { 
-   
+ if( egrep(pattern: '.*GlassFish.*', string: buf, icase: TRUE) ||
+     egrep(pattern: 'Server:.*GlassFish.*', string: buf, icase: TRUE))
+ {
+
     vers = string("unknown");
 
     version = eregmatch(string: buf, pattern: 'Server:.*GlassFish[^0-9]+v([0-9.]+)',icase:TRUE);
@@ -101,28 +103,27 @@
       set_kb_item(name: string("GlassFishAdminConsole/port"), value: port);
     }  else {
       set_kb_item(name: string("www/", port, "/GlassFish"), value: vers);	
-   
+
       ## build cpe and store it as host_detail
       cpe = build_cpe(value:vers, exp:"^([0-9.]+)", base:"cpe:/a:sun:glassfish");
       if(!isnull(cpe))
          register_host_detail(name:"App", value:cpe, nvt:SCRIPT_OID, desc:SCRIPT_DESC);
 
-    }  
+    }
 
     info = string("\n\nGlassFish Version '");
     info += string(vers);
     info += string("' was detected on the remote host\n");
 
-    desc = desc + info;    
-       
+    desc = desc + info;
+
        if(report_verbosity > 0) {
-	 if(report) {
-	  desc = report;
-	 }  
+  if(report) {
+   desc = report;
+  }
          security_note(port:port,data:string(desc));
        }
        exit(0);
-  
- }
+  }
 
 exit(0);


Property changes on: trunk/openvas-plugins/scripts/GlassFish_detect.nasl
___________________________________________________________________
Name: svn:keywords
   - Author Date Id Revision
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,121 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Attachmate Reflection FTP Client LIST Command Remote Heap Buffer Overflow Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802371);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-5012");
+  script_bugtraq_id(50691);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-01-05 16:57:58 +0530 (Thu, 05 Jan 2012)");
+  script_name("Attachmate Reflection FTP Client LIST Command Remote Heap Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is installed with Attachmate Reflection FTP Client and
+  is prone to buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to boundary error in the Reflection FTP client in
+  rftpcom.dll, which fails to process filenames within a directory listing.
+
+  Impact:
+  Successful exploitation will let the attacker to execution of arbitrary code.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Attachmate Reflection 2008
+  Attachmate Reflection 2011 R1 before 15.3.2.569
+  Attachmate Reflection 2011 R2 before 15.4.1.327
+  Attachmate Reflection 14.1 SP1 before 14.1.1.206
+  Attachmate Reflection Windows Client 7.2 SP1 before hotfix 7.2.1186
+
+  Fix:
+  Upgrade to the latest version or apply the fix,
+  For updates refer, http://support.attachmate.com/techdocs/1708.html
+
+  *****
+  NOTE : Ignore this warning, if above mentioned patch is applied already.
+  *****
+
+  References:
+  http://osvdb.org/77189
+  http://secunia.com/advisories/46879
+  http://xforce.iss.net/xforce/xfdb/71330
+  http://www.securitytracker.com/id?1026340
+  http://www.exploit-db.com/exploits/18119/
+  http://support.attachmate.com/techdocs/2288.html
+  http://support.attachmate.com/techdocs/2502.html
+  http://support.attachmate.com/techdocs/1708.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Attachmate Reflection FTP Client");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+## Get version from Registry
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(!registry_key_exists(key:key)){
+  exit(0);
+}
+
+foreach item (registry_enum_keys(key:key))
+{
+  refName = registry_get_sz(key:key + item, item:"DisplayName");
+  if("Attachmate Reflection" >< refName)
+  {
+    refVer = registry_get_sz(key:key + item, item:"DisplayVersion");
+    if(refVer != NULL)
+    {
+      ## Check for version's
+      if(version_in_range(version:refVer, test_version:"15.3", test_version2:"15.3.569.0") ||
+         version_in_range(version:refVer, test_version:"15.4", test_version2:"15.4.327.0)") ||
+         version_in_range(version:refVer, test_version:"7.2", test_version2:"7.2.1163") ||
+         version_in_range(version:refVer, test_version:"14.1", test_version2:"14.1.1173"))
+      {
+        security_hole(0);
+        exit(0);
+      }
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Modified: trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -28,7 +28,8 @@
 {
   script_id(802551);
   script_version("$Revision$");
-  script_tag(name:"cvss_base", value:"7.5");
+  script_cve_id("CVE-2011-5052");
+  script_tag(name:"cvss_base", value:"6.8");
   script_tag(name:"risk_factor", value:"High");
   script_tag(name:"last_modification", value:"$Date$");
   script_tag(name:"creation_date", value:"2012-01-02 16:06:04 +0530 (Mon, 02 Jan 2012)");

Added: trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Oracle Sun GlassFish Server Hash Collision Denial of Service Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802409);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-5035");
+  script_bugtraq_id(51194);
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-01-05 16:15:38 +0530 (Thu, 05 Jan 2012)");
+  script_name("Oracle Sun GlassFish Server Hash Collision Denial of Service Vulnerability");
+  desc = "
+  Overview: The host is running GlassFish Server and is prone to denial of
+  service vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error within a hash generation function when
+  hashing form posts and updating a hash table. This can be exploited to cause
+  a hash collision resulting in high CPU consumption via a specially crafted
+  form sent in a HTTP POST request.
+
+  Impact:
+  Successful exploitation could allow remote attackers to cause a denial
+  of service via a specially crafted form sent in a HTTP POST request.
+
+  Impact Level: Application/System
+
+  Affected Software/OS:
+  Oracle GlassFish version 3.1.1 and prior.
+
+  Fix: No solution or patch is available as on 05th January, 2012. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://glassfish.java.net/
+
+  References:
+  http://www.kb.cert.org/vuls/id/903934
+  http://www.ocert.org/advisories/ocert-2011-003.html ";
+
+  script_description(desc);
+  script_summary("Check for the version of Oracle Sun Java GlassFish Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_dependencies("GlassFish_detect.nasl");
+  script_require_ports("Services/www", 8080);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Check for the default port
+if(!port = get_http_port(default:8080)){
+  port = 8080;
+}
+
+## Check port status
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## Get the version form KB
+vers = get_kb_item(string("www/", port, "/GlassFish"));
+if(!vers){
+  exit(0);
+}
+
+if(version_is_less_equal(version: vers, test_version:"3.1.1")){
+  security_warning(port:port);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# HServer Multiple Webserver Directory Traversal Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802410);
+  script_version("$Revision$");
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-01-06 13:10:29 +0530 (Fri, 06 Jan 2012)");
+  script_name("HServer Webserver Multiple Directory Traversal Vulnerabilities");
+  desc = "
+  Overview: The host is running HServer Webserver and is prone to multiple
+  directory traversal vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to improper validation of URI containing '..\..\'
+  sequences, which allows attackers to read arbitrary files via directory
+  traversal attacks.
+
+  Impact:
+  Successful exploitation will let the attacker to obtain sensitive information
+  that could aid in further attacks.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  HServer webserver version 0.1.1
+
+  Fix: No solution or patch is available as on 06th, January 2012. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.luizpicanco.com/index.php?s=hserver
+
+  References:
+  http://www.securityfocus.com/archive/1/521119
+  http://packetstormsecurity.org/files/108376/hserverwebserver-traversal.txt ";
+
+  script_description(desc);
+  script_summary("Determine if HServer webserver is vulnerable to Directory Traversal Attack");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Web Servers");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 8081);
+  exit(0);
+}
+
+##
+## The script code starts here
+##
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:8081);
+
+## Check Port State
+if(!get_port_state(port)){
+  exit(0);
+}
+
+## Send and Receive the response
+req = http_get(item: "/", port:port);
+res = http_send_recv(port:port, data:req);
+
+## Construct attack request
+exploits  = make_list("/..%5c..%5c..%5cboot.ini",
+                      "/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini");
+
+## Check for each exploit
+foreach url (exploits)
+{
+   ## Try exploit and check the response to confirm vulnerability
+   if(http_vuln_check(port:port, url:url, pattern:"\[boot loader\]"))
+   {
+     security_warning(port:port);
+     exit(0);
+   }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,101 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mini-Stream Ripper And RM-MP3 Converter '.pls' File Buffer Overflow Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012  Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802368);
+  script_version("$Revision$");
+  script_cve_id("CVE-2009-5109", "CVE-2010-5081");
+  script_bugtraq_id(41332, 34514);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-01-03 10:37:57 +0530 (Tue, 03 Jan 2012)");
+  script_name("Mini-Stream Ripper And RM-MP3 Converter '.pls' File Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is installed with Mini-Stream Ripper or RM-MP3 Converter
+  and is prone to buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error when processing '.pls' files, which
+  can be exploited to cause a stack based buffer overflow by sending specially
+  crafted '.pls' file with a long entry.
+
+  Impact:
+  Successful exploitation will let the attacker to execution of arbitrary code.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Ripper version 3.0.1.1 and prior
+  RM-MP3 Converter version 3.1.2.1
+
+  Fix: No solution or patch is available as on 03rd, January 2012. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://mini-stream.net/
+
+  References:
+  http://osvdb.org/61341
+  http://osvdb.org/78078
+  http://sebug.net/vuldb/ssvid-18793
+  http://www.exploit-db.com/exploits/18082
+  http://www.exploit-db.com/exploits/10782
+  http://www.exploit-db.com/exploits/10747
+  http://www.exploit-db.com/exploits/10745
+  http://www.exploit-db.com/exploits/18113
+  http://www.exploit-db.com/exploits/14373 ";
+
+  script_description(desc);
+  script_summary("Check for the version of Mini Stream Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_mini_stream_prdts_detect.nasl");
+  script_require_keys("MiniStream/RmToMp3/Conv/Ver", "MiniStream/Ripper/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+rmMp3 = get_kb_item("MiniStream/RmToMp3/Conv/Ver");
+if(rmMp3)
+{
+  #Mini-stream RM-MP3 Converter 3.1.2.1 points to version 3.1.2.1.2010.03.30
+  if(version_is_equal(version:rmMp3, test_version:"3.1.2.1.2010.03.30"))
+  {
+    security_hole(0);
+    exit(0);
+  }
+}
+
+miniRipper = get_kb_item("MiniStream/Ripper/Ver");
+if(miniRipper)
+{
+  if(version_is_less_equal(version:miniRipper,test_version:"3.0.1.1")){
+    security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Oracle GlassFish Server Administration Console Authentication Bypass Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802411);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-1511");
+  script_bugtraq_id(47818);
+  script_tag(name:"cvss_base", value:"6.4");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-01-06 14:03:19 +0530 (Fri, 06 Jan 2012)");
+  script_name("Oracle GlassFish Server Administration Console Authentication Bypass Vulnerability");
+  desc = "
+  Overview: The host is running Oracle GlassFish Server and is prone to
+  security bypass vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error in Administration Console, when handling
+  HTTP requests using the 'TRACE' method. A remote unauthenticated attacker can
+  get access to the content of restricted pages in the Administration Console.
+  and also attacker can create a new Glassfish administrator.
+
+  Impact:
+  Successful exploitation could allow local attackers to access sensitive data
+  on the server without being authenticated, by making 'TRACE' requests against
+  the Administration Console.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Oracle GlassFish version 3.0.1 and prior.
+
+  Fix: Upgrade to Oracle GlassFish 3.1 or later,
+  For updated refer, http://glassfish.java.net/downloads/3.1-final.html
+
+  References:
+  http://securityreason.com/securityalert/8254
+  http://www.us-cert.gov/cas/techalerts/TA11-201A.html
+  http://packetstormsecurity.org/files/108381/NGS00106.txt ";
+
+  script_description(desc);
+  script_summary("Check for security bypass vulnerability in Oracle Sun Java GlassFish Server");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+  script_family("General");
+  script_require_ports("Services/www", 8080);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Check for the default port
+if(!port = get_http_port(default:4848)){
+  port = 4848;
+}
+
+## Check port status
+if(!get_port_state(port)){
+  exit(0);
+}
+
+sndReq = http_get(item:"/", port:port);
+rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:0);
+
+## Confirm the server
+if("Sun Java System Application Server" ><  rcvRes || "GlassFish Server" >< rcvRes)
+{
+
+  ## Construct the attack (TRACE) request
+  req = string("TRACE /common/security/realms/manageUserNew.jsf" +
+               "?name=admin-realm&configName=server-config&bare" +
+               "=true HTTP/1.1\r\n",
+               "Host: ", get_host_name(), "\r\n\r\n");
+
+  res = http_send_recv(port:port, data:req);
+
+  ## Check the Response
+  if("ConfirmPassword" >< res && "newPasswordProp:NewPassword" >< res
+      && "405 TRACE method is not allowed" >!< res){
+    security_hole(port);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHP Web Form Hash Collision Denial of Service Vulnerability (Win)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802408);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-4885");
+  script_bugtraq_id(51193);
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-01-03 16:47:40 +0530 (Tue, 03 Jan 2012)");
+  script_name("PHP Web Form Hash Collision Denial of Service Vulnerability (Win)");
+  desc = "
+  Overview: This host is installed with PHP and is prone to remote denial of
+  service vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error within a hash generation function when
+  hashing form posts and updating a hash table. This can be exploited to cause
+  a hash collision resulting in high CPU consumption via a specially crafted
+  form sent in a HTTP POST request.
+
+  Impact:
+  Successful exploitation could allow remote attackers to cause a denial
+  of service via a specially crafted form sent in a HTTP POST request.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  PHP Version 5.3.8 and prior.
+
+  Fix: Upgrade PHP to 5.3.9 or later,
+  For updates refer, http://php.net/downloads.php
+
+  References:
+  http://secunia.com/advisories/47404
+  http://www.kb.cert.org/vuls/id/903934
+  http://xforce.iss.net/xforce/xfdb/72021
+  http://www.exploit-db.com/exploits/18305/
+  http://www.exploit-db.com/exploits/18296/
+  http://www.ocert.org/advisories/ocert-2011-003.html
+  http://svn.php.net/viewvc?view=revision&revision=321040 ";
+
+  script_description(desc);
+  script_summary("Check for the version of PHP");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_dependencies("secpod_php_detect_win.nasl");
+  script_require_keys("PHP/Ver/win");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get version from KB
+phpVer = get_kb_item("PHP/Ver/win");
+
+if(phpVer != NULL)
+{
+  ##Check for PHP version
+  if(version_is_less_equal(version:phpVer, test_version:"5.3.8")){
+    security_warning(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHPB2B 'q' Parameter Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802369);
+  script_version("$Revision$");
+  script_bugtraq_id(51221);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-12-04 15:17:25 +0530 (Mon, 05 Dec 2011)");
+  script_name("PHPB2B 'q' Parameter Cross-Site Scripting Vulnerability");
+  desc = "
+  Overview: The host is running PHPB2B and is prone to cross site scripting
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to improper validation of user-supplied input via
+  the 'q' parameter to /offer/list.php, which allows attacker to execute
+  arbitrary HTML and script code on the user's browser session in the security
+  context of an affected site.
+
+  Impact:
+  Successful exploitation will allow remote attackers to insert arbitrary HTML
+  and script code, which will be executed in a user's browser session in the
+  context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  PHPB2B version 4.1 and prior.
+
+  Fix: No solution or patch is available as on 04th January, 2012. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.phpb2b.com/
+
+  References:
+  http://packetstormsecurity.org/files/108280/phpb2b-xss.txt
+  http://vulnsecuritylist.com/vulnerability/phpb2b-cross-site-scripting/";
+
+  script_description(desc);
+  script_summary("Check if PHPB2B is vulnerable to XSS");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP port
+phpb2bPort = get_http_port(default:80);
+if(!phpb2bPort){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:phpb2bPort)) {
+  exit(0);
+}
+
+
+foreach dir (make_list("/phpb2b", "/phpb2b/upload", cgi_dirs()))
+{
+  ## Send and Receive the response
+  sndReq = http_get(item:string(dir, "/index.php"), port:phpb2bPort);
+  rcvRes = http_send_recv(port:phpb2bPort, data:sndReq);
+
+  ## Confirm application is Member Management System
+  if("PHPB2B e-commerce Web Site Management System" >< rcvRes &&
+     ">Powered by PHPB2B" >< rcvRes)
+  {
+    ## Path of Vulnerable Page
+    url = dir + '/offer/list.php?do=search&q=<script>alert' +
+          '(document.cookie)</script>';
+
+    ## Send XSS attack and check the response to confirm vulnerability.
+    if(http_vuln_check(port:phpb2bPort, url:url, pattern:"<script>alert\(document." +
+                                               "cookie\)</script>"))
+    {
+       security_warning(phpb2bPort);
+       exit(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# SQLiteManager 'dbsel' And 'nsextt' Parameters Multiple XSS Vulnerabilities
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802373);
+  script_version("$Revision$");
+  script_bugtraq_id(51294);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-01-06 13:17:25 +0530 (Fri, 06 Jan 2012)");
+  script_name("SQLiteManager 'dbsel' And 'nsextt' Parameters Multiple XSS Vulnerabilities");
+  desc = "
+  Overview: The host is running SQLiteManager and is prone to multiple 
+  cross site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused due to improper validation of user-supplied input via
+  the 'dbsel' or 'nsextt' parameters to index.php or main.php script, which
+  allows attacker to execute arbitrary HTML and script code on the user's
+  browser session in the security context of an affected site.
+
+  Impact:
+  Successful exploitation will allow remote attackers to insert arbitrary HTML
+  and script code, which will be executed in a user's browser session in the
+  context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  SQLiteManager version 1.2.4 and prior.
+
+  Fix: No solution or patch is available as on 04th January, 2012. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.sqlitemanager.org/index.php
+
+  References:
+  http://www.securityfocus.com/archive/1/521126
+  http://packetstormsecurity.org/files/108393/sqlitemanager124-xss.txt ";
+
+  script_description(desc);
+  script_summary("Check if SQLiteManager is vulnerable to XSS");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("gb_sqlitemanager_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+  exit(0);
+}
+
+## Get the version from KB
+dir = get_dir_from_kb(port:port,app:"SQLiteManager");
+if(!dir){
+  exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/main.php?dbsel=</script><script>alert(document.cookie)</script>";
+
+## Send XSS attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:port, url:url, pattern:"</script><script>alert\(" +
+                               "document.cookie\)</script>")){
+  security_warning(port);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id

Added: trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl	2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl	2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# TomatoSoft Free Mp3 Player '.mp3' File Denial of Service Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802370);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-5043");
+  script_bugtraq_id(51123);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2012-01-05 12:20:03 +0530 (Thu, 05 Jan 2012)");
+  script_name("TomatoSoft Free Mp3 Player '.mp3' File Denial of Service Vulnerability");
+  desc = "
+  Overview: This host is installed with TomatoSoft Free Mp3 Player and is
+  prone to denial of service vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an error when parsing a crafted '.mp3' file
+  containing an overly long argument.
+
+  Impact:
+  Successful exploitation will let the attacker to cause the application
+  to crash.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  TomatoSoft Free Mp3 Player 1.0
+
+  Fix: No solution or patch is available as on 6th January, 2012. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.tomatosoft.biz/blog/2011/12/09/free-mp3-player/
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/71870
+  http://www.exploit-db.com/exploits/18254/ ";
+
+  script_description(desc);
+  script_summary("Check for the version of TomatoSoft Free Mp3 Player");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+## Get Related Registry key
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mp3Player";
+if(!registry_key_exists(key:key)){
+  exit(0);
+}
+
+playerName = registry_get_sz(key:key , item:"Publisher");
+
+## Confirm application
+if("Tomatosoft" >< playerName)
+{
+  playerVer = registry_get_sz(key:key , item:"DisplayName");
+  playerVer = eregmatch(pattern:"Mp3 Player ([0-9.]+)", string:playerVer);
+
+  if(playerVer != NULL)
+  {
+    ## Check for TomatoSoft Free Mp3 Player < 1.0 version
+    if(version_is_less_equal(version:playerVer[1], test_version:"1.0"))
+    {
+      security_warning(0);
+      exit(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date Id



More information about the Openvas-commits mailing list