Re: imp_mime_viewer_html_xss.nasl

From: Renaud Deraison (deraisonat_private)
Date: Wed Aug 06 2003 - 12:27:09 PDT

Next message: George Theall: "Re: imp_mime_viewer_html_xss.nasl"

Previous message: Yorick Koster: "Some CAN-numbers for NASL-scripts"
In reply to: George Theall: "imp_mime_viewer_html_xss.nasl"
Next in thread: George Theall: "Re: imp_mime_viewer_html_xss.nasl"
Reply: George Theall: "Re: imp_mime_viewer_html_xss.nasl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Aug 02, 2003 at 06:04:47PM -0400, George Theall wrote:
> Hopefully, my plugin works as intended and can be included amongst the
> plugins distributed through nessus.org.  Comments? Flames?

Some comments :

> include("http_func.inc");

You should also include http_keepalive.inc to make http keep-alive
connections where possible.

> # nb: while nasl will auto-negotiate SSL, Apache on port 443 
> #     will often accept non-SSL connections but not understand
> #     the request so I force SSL to get around this problem.
> encaps = ENCAPS_IP;
> if (port == 443) {
>    encaps = ENCAPS_SSLv23;
> }

find_services.nes will force SSL negociation, so when the plugin is not
run in standalone mode, this should be a non-issue and should be
removed.

> 
> # Search for page in a couple of different locations.
> # nb: "webmail" is not a standard but is commonly used.
> dirs = make_list("", "/imp", "/horde/imp", "/webmail");

You should include cgi_dirs() as well. cgi_dirs() returns an array of
locations where webmirror.nasl found CGI scripts.

> foreach d (dirs) {
>   if (debug) display("debug: testing ", string(d, "/test.php...\n"));
>   get = http_get(item:string(d, "/test.php"), port:port);
>   soc = open_sock_tcp(port, transport:encaps);

Avoid an open_sock_tcp() in a foreach() when dealing with HTTP. Against
a SSL server this creates a lot of un-necessary overhead.

>   if (soc) {
>     send(socket:soc, data:get);
>     code = recv_line(socket:soc, length:4096);
>     if (debug) display("debug: code=>>", code, "<<\n");
>     if (ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 .*", string:code)) {
>       x = http_recv(socket:soc);
>       http_close_socket(soc);

Why look for a code 200 in that case ? Since you're looking for
"<li>IMP:" already, it only peforms an un-necessary regex call which
could be avoided.

>       # nb: version number is preceded by "<li>IMP: ".
>       x = strstr(x, "<li>IMP: ");
>       if (debug) display("debug: x =>>", x, "<<\n");
>       if (x) {
>         # nb: ignore "<li>IMP: " to get to start of version number.
>         start = substr(x, 9);
>         end = strstr(x, "</li>");
>         vers = start - end;
>         if (debug) display("debug: vers =>>", vers, "<<\n");
>         if (ereg(pattern:"3\.(0|1|2|2\.1)", string:vers)) {

You probably want to add [^0-9] somewhere at the end of the check. Also, 
are versions older than 3.x vulnerable to the XSS as well ? If so, your
regex should be :

	ereg(pattern:"[^0-9]([0-2]\..*|3\.([01]\..*|2\.[01])[^0-9])",

Which is better.

>           security_hole(port);
>           # nb: no sense testing any further.
>           break;

You can directly exit(0), that's even better.

Attached is a copy of what your code should be like.

text/plain attachment: imp_mime_viewer_html_xss.nasl

Next message: George Theall: "Re: imp_mime_viewer_html_xss.nasl"
Previous message: Yorick Koster: "Some CAN-numbers for NASL-scripts"
In reply to: George Theall: "imp_mime_viewer_html_xss.nasl"
Next in thread: George Theall: "Re: imp_mime_viewer_html_xss.nasl"
Reply: George Theall: "Re: imp_mime_viewer_html_xss.nasl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 12:29:38 PDT