[Openvas-commits] r12430 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Jan 6 14:28:08 CET 2012
Author: antu123
Date: 2012-01-06 14:28:01 +0100 (Fri, 06 Jan 2012)
New Revision: 12430
Added:
trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl
trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl
trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl
trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl
trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl
trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl
trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/GlassFish_detect.nasl
trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl
Log:
Added new plugins, Updated CVE and CVSS
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/ChangeLog 2012-01-06 13:28:01 UTC (rev 12430)
@@ -1,3 +1,22 @@
+2012-01-06 Antu Sanadi <santu at secpod.com>
+
+ * scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl,
+ scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl,
+ scripts/gb_glassfish_hash_collision_dos_vuln.nasl,
+ scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl,
+ scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl,
+ scripts/gb_phpb2b_q_param_xss_vuln.nasl,
+ scripts/gb_sqlitemanager_mult_xss_vuln.nasl,
+ scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl,
+ scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl:
+ Added new plugins.
+
+ * scripts/GlassFish_detect.nasl:
+ Updated to detect recent versions.
+
+ * scripts/gb_cocsoft_stream_down_bof_vuln.nasl:
+ Updated CVE and CVSS.
+
2012-01-06 Michael Meyer <michael.meyer at greenbone.net>
* scripts/gb_ImpressPages_49798.nasl:
Modified: trunk/openvas-plugins/scripts/GlassFish_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/GlassFish_detect.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/GlassFish_detect.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -9,6 +9,7 @@
#
# Updated by: Antu Sanadi <santu at secpod.com> on 2010-01-31
# Updated to detect recent versions (3.x)
+# Updated to to read the data from index.html, on 2012-01-06
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH
@@ -45,7 +46,7 @@
script_tag(name:"creation_date", value:"2009-05-10 17:01:14 +0200 (Sun, 10 May 2009)");
script_tag(name:"risk_factor", value:"None");
- script_name("GlassFish Server Detection");
+ script_name("GlassFish Server Detection");
script_description(desc);
script_summary("Checks for the presence of GlassFish Server");
@@ -72,14 +73,15 @@
if(!get_port_state(port))exit(0);
- url = string("/");
+ url = string("/index.html");
req = http_get(item:url, port:port);
buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
-
+
if( buf == NULL )continue;
- if( egrep(pattern: 'Server:.*GlassFish.*', string: buf, icase: TRUE) )
- {
-
+ if( egrep(pattern: '.*GlassFish.*', string: buf, icase: TRUE) ||
+ egrep(pattern: 'Server:.*GlassFish.*', string: buf, icase: TRUE))
+ {
+
vers = string("unknown");
version = eregmatch(string: buf, pattern: 'Server:.*GlassFish[^0-9]+v([0-9.]+)',icase:TRUE);
@@ -101,28 +103,27 @@
set_kb_item(name: string("GlassFishAdminConsole/port"), value: port);
} else {
set_kb_item(name: string("www/", port, "/GlassFish"), value: vers);
-
+
## build cpe and store it as host_detail
cpe = build_cpe(value:vers, exp:"^([0-9.]+)", base:"cpe:/a:sun:glassfish");
if(!isnull(cpe))
register_host_detail(name:"App", value:cpe, nvt:SCRIPT_OID, desc:SCRIPT_DESC);
- }
+ }
info = string("\n\nGlassFish Version '");
info += string(vers);
info += string("' was detected on the remote host\n");
- desc = desc + info;
-
+ desc = desc + info;
+
if(report_verbosity > 0) {
- if(report) {
- desc = report;
- }
+ if(report) {
+ desc = report;
+ }
security_note(port:port,data:string(desc));
}
exit(0);
-
- }
+ }
exit(0);
Property changes on: trunk/openvas-plugins/scripts/GlassFish_detect.nasl
___________________________________________________________________
Name: svn:keywords
- Author Date Id Revision
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,121 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Attachmate Reflection FTP Client LIST Command Remote Heap Buffer Overflow Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802371);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-5012");
+ script_bugtraq_id(50691);
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-01-05 16:57:58 +0530 (Thu, 05 Jan 2012)");
+ script_name("Attachmate Reflection FTP Client LIST Command Remote Heap Buffer Overflow Vulnerability");
+ desc = "
+ Overview: This host is installed with Attachmate Reflection FTP Client and
+ is prone to buffer overflow vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to boundary error in the Reflection FTP client in
+ rftpcom.dll, which fails to process filenames within a directory listing.
+
+ Impact:
+ Successful exploitation will let the attacker to execution of arbitrary code.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Attachmate Reflection 2008
+ Attachmate Reflection 2011 R1 before 15.3.2.569
+ Attachmate Reflection 2011 R2 before 15.4.1.327
+ Attachmate Reflection 14.1 SP1 before 14.1.1.206
+ Attachmate Reflection Windows Client 7.2 SP1 before hotfix 7.2.1186
+
+ Fix:
+ Upgrade to the latest version or apply the fix,
+ For updates refer, http://support.attachmate.com/techdocs/1708.html
+
+ *****
+ NOTE : Ignore this warning, if above mentioned patch is applied already.
+ *****
+
+ References:
+ http://osvdb.org/77189
+ http://secunia.com/advisories/46879
+ http://xforce.iss.net/xforce/xfdb/71330
+ http://www.securitytracker.com/id?1026340
+ http://www.exploit-db.com/exploits/18119/
+ http://support.attachmate.com/techdocs/2288.html
+ http://support.attachmate.com/techdocs/2502.html
+ http://support.attachmate.com/techdocs/1708.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Attachmate Reflection FTP Client");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Buffer overflow");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+## Get version from Registry
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(!registry_key_exists(key:key)){
+ exit(0);
+}
+
+foreach item (registry_enum_keys(key:key))
+{
+ refName = registry_get_sz(key:key + item, item:"DisplayName");
+ if("Attachmate Reflection" >< refName)
+ {
+ refVer = registry_get_sz(key:key + item, item:"DisplayVersion");
+ if(refVer != NULL)
+ {
+ ## Check for version's
+ if(version_in_range(version:refVer, test_version:"15.3", test_version2:"15.3.569.0") ||
+ version_in_range(version:refVer, test_version:"15.4", test_version2:"15.4.327.0)") ||
+ version_in_range(version:refVer, test_version:"7.2", test_version2:"7.2.1163") ||
+ version_in_range(version:refVer, test_version:"14.1", test_version2:"14.1.1173"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_attachmate_reflection_ftp_client_bof_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Modified: trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_cocsoft_stream_down_bof_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -28,7 +28,8 @@
{
script_id(802551);
script_version("$Revision$");
- script_tag(name:"cvss_base", value:"7.5");
+ script_cve_id("CVE-2011-5052");
+ script_tag(name:"cvss_base", value:"6.8");
script_tag(name:"risk_factor", value:"High");
script_tag(name:"last_modification", value:"$Date$");
script_tag(name:"creation_date", value:"2012-01-02 16:06:04 +0530 (Mon, 02 Jan 2012)");
Added: trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Oracle Sun GlassFish Server Hash Collision Denial of Service Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802409);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-5035");
+ script_bugtraq_id(51194);
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-05 16:15:38 +0530 (Thu, 05 Jan 2012)");
+ script_name("Oracle Sun GlassFish Server Hash Collision Denial of Service Vulnerability");
+ desc = "
+ Overview: The host is running GlassFish Server and is prone to denial of
+ service vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error within a hash generation function when
+ hashing form posts and updating a hash table. This can be exploited to cause
+ a hash collision resulting in high CPU consumption via a specially crafted
+ form sent in a HTTP POST request.
+
+ Impact:
+ Successful exploitation could allow remote attackers to cause a denial
+ of service via a specially crafted form sent in a HTTP POST request.
+
+ Impact Level: Application/System
+
+ Affected Software/OS:
+ Oracle GlassFish version 3.1.1 and prior.
+
+ Fix: No solution or patch is available as on 05th January, 2012. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://glassfish.java.net/
+
+ References:
+ http://www.kb.cert.org/vuls/id/903934
+ http://www.ocert.org/advisories/ocert-2011-003.html ";
+
+ script_description(desc);
+ script_summary("Check for the version of Oracle Sun Java GlassFish Server");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+ script_family("Denial of Service");
+ script_dependencies("GlassFish_detect.nasl");
+ script_require_ports("Services/www", 8080);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+## Check for the default port
+if(!port = get_http_port(default:8080)){
+ port = 8080;
+}
+
+## Check port status
+if(!get_port_state(port)){
+ exit(0);
+}
+
+## Get the version form KB
+vers = get_kb_item(string("www/", port, "/GlassFish"));
+if(!vers){
+ exit(0);
+}
+
+if(version_is_less_equal(version: vers, test_version:"3.1.1")){
+ security_warning(port:port);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_glassfish_hash_collision_dos_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# HServer Multiple Webserver Directory Traversal Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802410);
+ script_version("$Revision$");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-06 13:10:29 +0530 (Fri, 06 Jan 2012)");
+ script_name("HServer Webserver Multiple Directory Traversal Vulnerabilities");
+ desc = "
+ Overview: The host is running HServer Webserver and is prone to multiple
+ directory traversal vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to improper validation of URI containing '..\..\'
+ sequences, which allows attackers to read arbitrary files via directory
+ traversal attacks.
+
+ Impact:
+ Successful exploitation will let the attacker to obtain sensitive information
+ that could aid in further attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ HServer webserver version 0.1.1
+
+ Fix: No solution or patch is available as on 06th, January 2012. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.luizpicanco.com/index.php?s=hserver
+
+ References:
+ http://www.securityfocus.com/archive/1/521119
+ http://packetstormsecurity.org/files/108376/hserverwebserver-traversal.txt ";
+
+ script_description(desc);
+ script_summary("Determine if HServer webserver is vulnerable to Directory Traversal Attack");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Web Servers");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 8081);
+ exit(0);
+}
+
+##
+## The script code starts here
+##
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:8081);
+
+## Check Port State
+if(!get_port_state(port)){
+ exit(0);
+}
+
+## Send and Receive the response
+req = http_get(item: "/", port:port);
+res = http_send_recv(port:port, data:req);
+
+## Construct attack request
+exploits = make_list("/..%5c..%5c..%5cboot.ini",
+ "/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini");
+
+## Check for each exploit
+foreach url (exploits)
+{
+ ## Try exploit and check the response to confirm vulnerability
+ if(http_vuln_check(port:port, url:url, pattern:"\[boot loader\]"))
+ {
+ security_warning(port:port);
+ exit(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_hserver_webserver_mult_dir_trav_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,101 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mini-Stream Ripper And RM-MP3 Converter '.pls' File Buffer Overflow Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802368);
+ script_version("$Revision$");
+ script_cve_id("CVE-2009-5109", "CVE-2010-5081");
+ script_bugtraq_id(41332, 34514);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-03 10:37:57 +0530 (Tue, 03 Jan 2012)");
+ script_name("Mini-Stream Ripper And RM-MP3 Converter '.pls' File Buffer Overflow Vulnerability");
+ desc = "
+ Overview: This host is installed with Mini-Stream Ripper or RM-MP3 Converter
+ and is prone to buffer overflow vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error when processing '.pls' files, which
+ can be exploited to cause a stack based buffer overflow by sending specially
+ crafted '.pls' file with a long entry.
+
+ Impact:
+ Successful exploitation will let the attacker to execution of arbitrary code.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Ripper version 3.0.1.1 and prior
+ RM-MP3 Converter version 3.1.2.1
+
+ Fix: No solution or patch is available as on 03rd, January 2012. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://mini-stream.net/
+
+ References:
+ http://osvdb.org/61341
+ http://osvdb.org/78078
+ http://sebug.net/vuldb/ssvid-18793
+ http://www.exploit-db.com/exploits/18082
+ http://www.exploit-db.com/exploits/10782
+ http://www.exploit-db.com/exploits/10747
+ http://www.exploit-db.com/exploits/10745
+ http://www.exploit-db.com/exploits/18113
+ http://www.exploit-db.com/exploits/14373 ";
+
+ script_description(desc);
+ script_summary("Check for the version of Mini Stream Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Buffer overflow");
+ script_dependencies("secpod_mini_stream_prdts_detect.nasl");
+ script_require_keys("MiniStream/RmToMp3/Conv/Ver", "MiniStream/Ripper/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+rmMp3 = get_kb_item("MiniStream/RmToMp3/Conv/Ver");
+if(rmMp3)
+{
+ #Mini-stream RM-MP3 Converter 3.1.2.1 points to version 3.1.2.1.2010.03.30
+ if(version_is_equal(version:rmMp3, test_version:"3.1.2.1.2010.03.30"))
+ {
+ security_hole(0);
+ exit(0);
+ }
+}
+
+miniRipper = get_kb_item("MiniStream/Ripper/Ver");
+if(miniRipper)
+{
+ if(version_is_less_equal(version:miniRipper,test_version:"3.0.1.1")){
+ security_hole(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_mini_stream_ripper_and_rmmp3_conv_bof_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Oracle GlassFish Server Administration Console Authentication Bypass Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802411);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-1511");
+ script_bugtraq_id(47818);
+ script_tag(name:"cvss_base", value:"6.4");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-06 14:03:19 +0530 (Fri, 06 Jan 2012)");
+ script_name("Oracle GlassFish Server Administration Console Authentication Bypass Vulnerability");
+ desc = "
+ Overview: The host is running Oracle GlassFish Server and is prone to
+ security bypass vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error in Administration Console, when handling
+ HTTP requests using the 'TRACE' method. A remote unauthenticated attacker can
+ get access to the content of restricted pages in the Administration Console.
+ and also attacker can create a new Glassfish administrator.
+
+ Impact:
+ Successful exploitation could allow local attackers to access sensitive data
+ on the server without being authenticated, by making 'TRACE' requests against
+ the Administration Console.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Oracle GlassFish version 3.0.1 and prior.
+
+ Fix: Upgrade to Oracle GlassFish 3.1 or later,
+ For updated refer, http://glassfish.java.net/downloads/3.1-final.html
+
+ References:
+ http://securityreason.com/securityalert/8254
+ http://www.us-cert.gov/cas/techalerts/TA11-201A.html
+ http://packetstormsecurity.org/files/108381/NGS00106.txt ";
+
+ script_description(desc);
+ script_summary("Check for security bypass vulnerability in Oracle Sun Java GlassFish Server");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
+ script_family("General");
+ script_require_ports("Services/www", 8080);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Check for the default port
+if(!port = get_http_port(default:4848)){
+ port = 4848;
+}
+
+## Check port status
+if(!get_port_state(port)){
+ exit(0);
+}
+
+sndReq = http_get(item:"/", port:port);
+rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:0);
+
+## Confirm the server
+if("Sun Java System Application Server" >< rcvRes || "GlassFish Server" >< rcvRes)
+{
+
+ ## Construct the attack (TRACE) request
+ req = string("TRACE /common/security/realms/manageUserNew.jsf" +
+ "?name=admin-realm&configName=server-config&bare" +
+ "=true HTTP/1.1\r\n",
+ "Host: ", get_host_name(), "\r\n\r\n");
+
+ res = http_send_recv(port:port, data:req);
+
+ ## Check the Response
+ if("ConfirmPassword" >< res && "newPasswordProp:NewPassword" >< res
+ && "405 TRACE method is not allowed" >!< res){
+ security_hole(port);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_oracle_glassfish_admin_console_auth_bypass_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHP Web Form Hash Collision Denial of Service Vulnerability (Win)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802408);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-4885");
+ script_bugtraq_id(51193);
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-03 16:47:40 +0530 (Tue, 03 Jan 2012)");
+ script_name("PHP Web Form Hash Collision Denial of Service Vulnerability (Win)");
+ desc = "
+ Overview: This host is installed with PHP and is prone to remote denial of
+ service vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error within a hash generation function when
+ hashing form posts and updating a hash table. This can be exploited to cause
+ a hash collision resulting in high CPU consumption via a specially crafted
+ form sent in a HTTP POST request.
+
+ Impact:
+ Successful exploitation could allow remote attackers to cause a denial
+ of service via a specially crafted form sent in a HTTP POST request.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ PHP Version 5.3.8 and prior.
+
+ Fix: Upgrade PHP to 5.3.9 or later,
+ For updates refer, http://php.net/downloads.php
+
+ References:
+ http://secunia.com/advisories/47404
+ http://www.kb.cert.org/vuls/id/903934
+ http://xforce.iss.net/xforce/xfdb/72021
+ http://www.exploit-db.com/exploits/18305/
+ http://www.exploit-db.com/exploits/18296/
+ http://www.ocert.org/advisories/ocert-2011-003.html
+ http://svn.php.net/viewvc?view=revision&revision=321040 ";
+
+ script_description(desc);
+ script_summary("Check for the version of PHP");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Denial of Service");
+ script_dependencies("secpod_php_detect_win.nasl");
+ script_require_keys("PHP/Ver/win");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get version from KB
+phpVer = get_kb_item("PHP/Ver/win");
+
+if(phpVer != NULL)
+{
+ ##Check for PHP version
+ if(version_is_less_equal(version:phpVer, test_version:"5.3.8")){
+ security_warning(0);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_php_web_form_hash_collision_dos_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHPB2B 'q' Parameter Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802369);
+ script_version("$Revision$");
+ script_bugtraq_id(51221);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-12-04 15:17:25 +0530 (Mon, 05 Dec 2011)");
+ script_name("PHPB2B 'q' Parameter Cross-Site Scripting Vulnerability");
+ desc = "
+ Overview: The host is running PHPB2B and is prone to cross site scripting
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to improper validation of user-supplied input via
+ the 'q' parameter to /offer/list.php, which allows attacker to execute
+ arbitrary HTML and script code on the user's browser session in the security
+ context of an affected site.
+
+ Impact:
+ Successful exploitation will allow remote attackers to insert arbitrary HTML
+ and script code, which will be executed in a user's browser session in the
+ context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ PHPB2B version 4.1 and prior.
+
+ Fix: No solution or patch is available as on 04th January, 2012. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.phpb2b.com/
+
+ References:
+ http://packetstormsecurity.org/files/108280/phpb2b-xss.txt
+ http://vulnsecuritylist.com/vulnerability/phpb2b-cross-site-scripting/";
+
+ script_description(desc);
+ script_summary("Check if PHPB2B is vulnerable to XSS");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP port
+phpb2bPort = get_http_port(default:80);
+if(!phpb2bPort){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:phpb2bPort)) {
+ exit(0);
+}
+
+
+foreach dir (make_list("/phpb2b", "/phpb2b/upload", cgi_dirs()))
+{
+ ## Send and Receive the response
+ sndReq = http_get(item:string(dir, "/index.php"), port:phpb2bPort);
+ rcvRes = http_send_recv(port:phpb2bPort, data:sndReq);
+
+ ## Confirm application is Member Management System
+ if("PHPB2B e-commerce Web Site Management System" >< rcvRes &&
+ ">Powered by PHPB2B" >< rcvRes)
+ {
+ ## Path of Vulnerable Page
+ url = dir + '/offer/list.php?do=search&q=<script>alert' +
+ '(document.cookie)</script>';
+
+ ## Send XSS attack and check the response to confirm vulnerability.
+ if(http_vuln_check(port:phpb2bPort, url:url, pattern:"<script>alert\(document." +
+ "cookie\)</script>"))
+ {
+ security_warning(phpb2bPort);
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_phpb2b_q_param_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# SQLiteManager 'dbsel' And 'nsextt' Parameters Multiple XSS Vulnerabilities
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802373);
+ script_version("$Revision$");
+ script_bugtraq_id(51294);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-06 13:17:25 +0530 (Fri, 06 Jan 2012)");
+ script_name("SQLiteManager 'dbsel' And 'nsextt' Parameters Multiple XSS Vulnerabilities");
+ desc = "
+ Overview: The host is running SQLiteManager and is prone to multiple
+ cross site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ The flaws are caused due to improper validation of user-supplied input via
+ the 'dbsel' or 'nsextt' parameters to index.php or main.php script, which
+ allows attacker to execute arbitrary HTML and script code on the user's
+ browser session in the security context of an affected site.
+
+ Impact:
+ Successful exploitation will allow remote attackers to insert arbitrary HTML
+ and script code, which will be executed in a user's browser session in the
+ context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ SQLiteManager version 1.2.4 and prior.
+
+ Fix: No solution or patch is available as on 04th January, 2012. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.sqlitemanager.org/index.php
+
+ References:
+ http://www.securityfocus.com/archive/1/521126
+ http://packetstormsecurity.org/files/108393/sqlitemanager124-xss.txt ";
+
+ script_description(desc);
+ script_summary("Check if SQLiteManager is vulnerable to XSS");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("gb_sqlitemanager_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get the HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+ exit(0);
+}
+
+## Get the version from KB
+dir = get_dir_from_kb(port:port,app:"SQLiteManager");
+if(!dir){
+ exit(0);
+}
+
+## Construct the Attack Request
+url = dir + "/main.php?dbsel=</script><script>alert(document.cookie)</script>";
+
+## Send XSS attack and check the response to confirm vulnerability.
+if(http_vuln_check(port:port, url:url, pattern:"</script><script>alert\(" +
+ "document.cookie\)</script>")){
+ security_warning(port);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_sqlitemanager_mult_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Added: trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl 2012-01-06 10:56:15 UTC (rev 12429)
+++ trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl 2012-01-06 13:28:01 UTC (rev 12430)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# TomatoSoft Free Mp3 Player '.mp3' File Denial of Service Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802370);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-5043");
+ script_bugtraq_id(51123);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2012-01-05 12:20:03 +0530 (Thu, 05 Jan 2012)");
+ script_name("TomatoSoft Free Mp3 Player '.mp3' File Denial of Service Vulnerability");
+ desc = "
+ Overview: This host is installed with TomatoSoft Free Mp3 Player and is
+ prone to denial of service vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to an error when parsing a crafted '.mp3' file
+ containing an overly long argument.
+
+ Impact:
+ Successful exploitation will let the attacker to cause the application
+ to crash.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ TomatoSoft Free Mp3 Player 1.0
+
+ Fix: No solution or patch is available as on 6th January, 2012. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.tomatosoft.biz/blog/2011/12/09/free-mp3-player/
+
+ References:
+ http://xforce.iss.net/xforce/xfdb/71870
+ http://www.exploit-db.com/exploits/18254/ ";
+
+ script_description(desc);
+ script_summary("Check for the version of TomatoSoft Free Mp3 Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
+ script_family("Denial of Service");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+## Get Related Registry key
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mp3Player";
+if(!registry_key_exists(key:key)){
+ exit(0);
+}
+
+playerName = registry_get_sz(key:key , item:"Publisher");
+
+## Confirm application
+if("Tomatosoft" >< playerName)
+{
+ playerVer = registry_get_sz(key:key , item:"DisplayName");
+ playerVer = eregmatch(pattern:"Mp3 Player ([0-9.]+)", string:playerVer);
+
+ if(playerVer != NULL)
+ {
+ ## Check for TomatoSoft Free Mp3 Player < 1.0 version
+ if(version_is_less_equal(version:playerVer[1], test_version:"1.0"))
+ {
+ security_warning(0);
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_tomatosoft_free_mp3_player_dos_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
More information about the Openvas-commits
mailing list