[Plugins-writers] Plugin for the latest Mantis vulnerabilities

• Previous message: Jason Haar: "[Plugins-writers] Is there an update for smb_suspicious_files.nasl?"
• In reply to: Jason Haar: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Next in thread: Renaud Deraison: "Re: [Plugins-writers] Plugin for the latest Mantis vulnerabilities"
• Reply: Renaud Deraison: "Re: [Plugins-writers] Plugin for the latest Mantis vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi!

	I write a plugin for the latest Mantis Bugtracker vulnerabilities. Attached goes the NASL plugin.

Regards,
Joxean Koret


#
#
# This script was written by Joxean Koret <joxeankoretat_private>
#
# GPL
#

if(description)
{
 #script_id(10830); 
 #script_bugtraq_id(3759);
 #script_cve_id("CAN-2001-1209");
 script_version("$Revision: 1.0 $");

 name["english"] = "Mantis Bugtracker database scanner";
 script_name(english:name["english"]);
 
 desc["english"] = "
This version of Mantis Bugtracker is vulnerable to a variable poissoning 
attacks. It enables a remote attacker to scan for arbitrary databases and 
hosts in the web server's lan.

Is also reported that this version is vulnerable to Cross Site Scripting
attacks.

Solution: Update to Mantis 1.0.0RC1, 1.0.0RC2, 1.0 Final or higher
Risk factor : Medium";

 script_description(english:desc["english"]);
 
 summary["english"] = "Mantis Bugtracker is vulnerable to an exploit which lets an attacker to scan arbitrary database systems and hosts that are in the web server's lan.";
 
 script_summary(english:summary["english"]);
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2005 Joxean Koret (joxeankoretat_private)");
 family["english"] = "CGI abuses";
 script_family(english:family["english"]);
 script_dependencie("find_service.nes", "http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);


if(!get_port_state(port))exit(0);


function check(req)
{
  
  req = http_get(item:req, port:port);
  r = http_keepalive_send_recv(port:port, data:req);
  
  if ( r == NULL ) exit(0);
  
  if("trying_it" >< r)
  {
   	security_hole(port:port);
	return(1);
  }
 return(0);
}

dirs = cgi_dirs();

url = "/mantis/core/database_api.php?g_db_type=trying_it";
check(req:url);

foreach dir (dirs)
{
 url = string(dir, "/core/database_api.php?g_db_type=trying_it");
 if(check(req:url))exit(0);
}

• application/pgp-signature attachment: Esta parte del mensaje está firmada digitalmente

_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers


		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

• Previous message: Jason Haar: "[Plugins-writers] Is there an update for smb_suspicious_files.nasl?"
• In reply to: Jason Haar: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Next in thread: Renaud Deraison: "Re: [Plugins-writers] Plugin for the latest Mantis vulnerabilities"
• Reply: Renaud Deraison: "Re: [Plugins-writers] Plugin for the latest Mantis vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Sep 27 2005 - 04:36:07 PDT