home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / sambar_xss.nasl

< prev

next >

Wrap

Text File  |  2005-01-14  |  3KB  |  114 lines

---

1. #
2. # This script was written by Renaud Deraison
3. #
4. # GPL
5. #
6. # References:
7. # Date: 27 Mar 2003 17:26:19 -0000
8. # From: "GrΘgory" Le Bras <gregory.lebras@security-corporation.com>
9. # To: bugtraq@securityfocus.com
10. # Subject: [SCSA-012] Multiple vulnerabilities in Sambar Server
11. #
12.  
13. if(description)
14. {
15.  script_version ("$Revision: 1.6 $");
16.  script_id(11492);
17.  script_bugtraq_id(7209);
18.  script_name(english:"Sambar XSS");
19.  
20.  
21.  desc["english"] = "
22. The Sambar web server comes with a set of CGIs are that vulnerable
23. to a cross site scripting attack.
24.  
25. An attacker may use this flaw to steal the cookies of your web users.
26.  
27. Solution : Delete these CGIs
28. Risk factor : Medium";
29.  
30.  script_description(english:desc["english"]);
31.  
32.  summary["english"] = "Tests for XSS attacks";
33.  script_summary(english:summary["english"]);
34.  
35.  script_category(ACT_GATHER_INFO);
36.  
37.  script_copyright("This script is Copyright (C) 2003 Renaud Deraison");
38.  family["english"] = "CGI abuses";
39.  family["francais"] = "Abus de CGI";
40.  script_family(english:family["english"], francais:family["francais"]);
41.  script_dependencies("find_service.nes", "http_version.nasl", "cross_site_scripting.nasl");
42.  script_require_ports("Services/www", 80);
43.  script_require_keys("www/sambar");
44.  exit(0);
45. }
46.  
47. # The script code starts here
48.  
49. include("http_func.inc");
50. include("http_keepalive.inc");
51.  
52.  
53. port = get_http_port(default:80);
54.  
55. if(!get_port_state(port))exit(0);
56. if(get_kb_item(string("www/", port, "/generic_xss"))) exit(0);
57.  
58. cgis = make_list("/netutils/ipdata.stm?ipaddr=",
59.          "/netutils/whodata.stm?sitename=",
60.          "/netutils/finddata.stm?user=",
61.          "/isapi/testisa.dll?check1=",
62.          "/cgi-bin/environ.pl?param1=",
63.          "/samples/search.dll?login=AND&query=",
64.          "/wwwping/index.stm?wwwsite=",
65.          "/syshelp/stmex.stm?bar=456&foo=",
66.          "/syshelp/cscript/showfunc.stm?func=",
67.          "/syshelp/cscript/showfnc.stm?pkg=",
68.          "/sysuser/docmgr/ieedit.stm?path=",
69.          "/sysuser/docmgr/edit.stm?path=",
70.          "/sysuser/docmgr/iecreate.stm?path=",
71.          "/sysuser/docmgr/create.stm?path=",
72.          "/sysuser/docmgr/info.stm?path=",
73.          "/sysuser/docmgr/ftp.stm?path=",
74.          "/sysuser/docmgr/htaccess.stm?path=",
75.          "/sysuser/docmgr/mkdir.stm?path=",
76.          "/sysuser/docmgr/rename.stm?path=",
77.          "/sysuser/docmgr/search.stm?path=",
78.          "/sysuser/docmgr/sendmail.stm?path=",
79.          "/sysuser/docmgr/template.stm?path=",
80.          "/sysuser/docmgr/update.stm?path=",
81.          "/sysuser/docmgr/vccheckin.stm?path=",
82.          "/sysuser/docmgr/vccreate.stm?path=",
83.          "/sysuser/docmgr/vchist.stm?path=",
84.          "/cgi-bin/testcgi.exe?");
85.          
86. report = NULL;
87.  
88. foreach c (cgis)
89. {
90.  req = http_get(item:c+"<script>foo</script>", port:port);
91.  res = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
92.  if( res == NULL ) exit(0);
93.  if("<script>foo</script>" >< res)
94.  {
95.   report += c + '<script>code</script>\n';
96.  }
97. }
98.  
99.  
100. if ( report != NULL )
101. {
102.  text = "
103. The following Sambar default CGIs are vulnerable to a cross-site scripting
104. attack. An attacker may use this flaw to steal the cookies of your
105. users :
106.  
107. " + report + "
108.  
109. Solution : Delete these CGIs.
110. Risk factor : Medium";
111.  
112.  security_warning(port:port, data:text);
113. }
114.