ID HORDE_MNEMO_DETECT.NASL Type nessus Reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-01-02T00:00:00
Description
The remote host is running Mnemo, an open source PHP-based note
manager from the Horde Project.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(18133);
script_version("1.21");
script_cvs_date("Date: 2019/11/25");
script_name(english:"Horde Mnemo Detection");
script_summary(english:"Checks for presence of Mnemo");
script_set_attribute(attribute:"synopsis", value:"The remote web server contains a note manager written in PHP.");
script_set_attribute(attribute:"description", value:
"The remote host is running Mnemo, an open source PHP-based note
manager from the Horde Project.");
script_set_attribute(attribute:"see_also", value:"https://www.horde.org/apps/mnemo/");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:horde:mnemo_note_manager");
script_set_attribute(attribute:"asset_inventory", value:"True");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("horde_detect.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_keys("www/horde");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
port = get_http_port(default:80, php: 1);
# Horde is a prerequisite.
horde_install = get_kb_item(string("www/", port, "/horde"));
if (isnull(horde_install)) exit(0, "The 'www/"+port+"/horde' KB item is missing.");
matches = eregmatch(string:horde_install, pattern:"^(.+) under (/.*)$");
if (isnull(matches)) exit(1, "Cannot parse KB entry");
horde_dir = matches[2];
# Search for version number in a couple of different pages.
files = make_list(
"/services/help/?module=mnemo&show=menu",
"/services/help/?module=mnemo&show=about",
"/docs/CHANGES", "/lib/version.phps"
);
# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/mnemo", horde_dir+"/mnemo", cgi_dirs()));
else dirs = make_list(cgi_dirs());
installs = make_array();
foreach dir (dirs)
{
# Grab index.php.
w = http_send_recv3(method: "GET", follow_redirect: 0, item:string(dir, "/index.php"), port:port, exit_on_fail: 1);
# If we're redirected to a login page...
#
# nb: Horde itself redirects to a login page but without the 'url' parameter.
if ( w[0] =~ "^HTTP/[01.]+ 30[0-9] " &&
egrep(pattern:"^Location: .*/login\.php\?url=", string: w[1]))
{
version = NULL;
foreach file (files)
{
# Get the page.
if ("/services/help" >< file) url = horde_dir + file;
else url = dir + file;
res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail: 1);
# Specify pattern used to identify version string.
#
# - version 2.1
if ("show=menu" >< file)
{
pat = ">Mnemo H[0-9]+ \(([0-9]+\.[^<]+)\)</span>";
}
# - version 2.0
else if ("show=about" >< file)
{
pat = '>This is Mnemo +(.+)\\.<';
}
# - version 1.x
else if (file == "/docs/CHANGES")
{
pat = "^ *v([0-9]+\..+) *$";
}
# nb: another security risk -- ability to view PHP source.
else if (file == "/lib/version.phps")
{
pat = "MNEMO_VERSION', '(.+)'";
}
# - someone updated files but forgot to add a pattern???
else
{
exit(1, strcat("don't know how to handle file '", file));
}
# Get the version string.
matches = egrep(pattern:pat, string:res[2]);
if (
matches &&
(
# nb: add an extra check in the case of the CHANGES file.
(file == "/docs/CHANGES" && "Mnemo " >< res[2]) ||
file != "/docs/CHANGES"
)
)
{
foreach match (split(matches, keep:FALSE))
{
item = eregmatch(pattern:pat, string:match);
if (!isnull(item))
{
version = item[1];
break;
}
}
}
# If the version is known...
if (!isnull(version))
{
if (dir == "") dir = "/";
set_kb_item(
name:string("www/", port, "/horde_mnemo"),
value:string(version, " under ", dir)
);
if (installs[version]) installs[version] += ';' + dir;
else installs[version] = dir;
register_install(
app_name:"Horde Mnemo",
path:dir,
version:version,
port:port,
cpe: "cpe:/a:horde:mnemo_note_manager");
break;
}
}
}
# Scan for multiple installations only if the "Perform thorough tests" setting is checked.
if (max_index(keys(installs)) && !thorough_tests) break;
}
# Report findings.
if (max_index(keys(installs)))
{
if (report_verbosity > 0)
{
info = "";
n = 0;
foreach version (sort(keys(installs)))
{
info += ' Version : ' + version + '\n';
foreach dir (sort(split(installs[version], sep:";", keep:FALSE)))
{
if (dir == '/') url = dir;
else url = dir + '/';
info += ' URL : ' + build_url(port:port, qs:url) + '\n';
n++;
}
info += '\n';
}
report = '\nThe following instance';
if (n == 1) report += ' of Mnemo was';
else report += 's of Mnemo were';
report += ' detected on the remote host :\n\n' + info;
security_note(port:port, extra:report);
}
else security_note(port);
}
{"id": "HORDE_MNEMO_DETECT.NASL", "bulletinFamily": "scanner", "title": "Horde Mnemo Detection", "description": "The remote host is running Mnemo, an open source PHP-based note\nmanager from the Horde Project.", "published": "2005-04-26T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/nessus/18133", "reporter": "This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.horde.org/apps/mnemo/"], "cvelist": [], "type": "nessus", "lastseen": "2021-01-01T03:15:30", "edition": 21, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["HORDE_MNEMO_FOOTER_XSS.NASL", "HORDE_TEST_DISCLOSURE.NASL"]}], "modified": "2021-01-01T03:15:30", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2021-01-01T03:15:30", "rev": 2}, "vulnersScore": -0.4}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18133);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2019/11/25\");\n\n script_name(english:\"Horde Mnemo Detection\");\n script_summary(english:\"Checks for presence of Mnemo\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote web server contains a note manager written in PHP.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Mnemo, an open source PHP-based note\nmanager from the Horde Project.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.horde.org/apps/mnemo/\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:horde:mnemo_note_manager\");\n script_set_attribute(attribute:\"asset_inventory\", value:\"True\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"horde_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/horde\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\n\nport = get_http_port(default:80, php: 1);\n\n\n# Horde is a prerequisite.\nhorde_install = get_kb_item(string(\"www/\", port, \"/horde\"));\nif (isnull(horde_install)) exit(0, \"The 'www/\"+port+\"/horde' KB item is missing.\");\nmatches = eregmatch(string:horde_install, pattern:\"^(.+) under (/.*)$\");\nif (isnull(matches)) exit(1, \"Cannot parse KB entry\");\nhorde_dir = matches[2];\n\n\n# Search for version number in a couple of different pages.\nfiles = make_list(\n \"/services/help/?module=mnemo&show=menu\",\n \"/services/help/?module=mnemo&show=about\",\n \"/docs/CHANGES\", \"/lib/version.phps\"\n);\n\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(make_list(\"/mnemo\", horde_dir+\"/mnemo\", cgi_dirs()));\nelse dirs = make_list(cgi_dirs());\n\ninstalls = make_array();\nforeach dir (dirs)\n{\n # Grab index.php.\n w = http_send_recv3(method: \"GET\", follow_redirect: 0, item:string(dir, \"/index.php\"), port:port, exit_on_fail: 1);\n\n # If we're redirected to a login page...\n #\n # nb: Horde itself redirects to a login page but without the 'url' parameter.\n if ( w[0] =~ \"^HTTP/[01.]+ 30[0-9] \" &&\n egrep(pattern:\"^Location: .*/login\\.php\\?url=\", string: w[1]))\n {\n version = NULL;\n\n foreach file (files)\n {\n # Get the page.\n if (\"/services/help\" >< file) url = horde_dir + file;\n else url = dir + file;\n\n res = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail: 1);\n\n # Specify pattern used to identify version string.\n #\n # - version 2.1\n if (\"show=menu\" >< file)\n {\n pat = \">Mnemo H[0-9]+ \\(([0-9]+\\.[^<]+)\\)</span>\";\n }\n # - version 2.0\n else if (\"show=about\" >< file)\n {\n pat = '>This is Mnemo +(.+)\\\\.<';\n }\n # - version 1.x\n else if (file == \"/docs/CHANGES\")\n {\n pat = \"^ *v([0-9]+\\..+) *$\";\n }\n # nb: another security risk -- ability to view PHP source.\n else if (file == \"/lib/version.phps\")\n {\n pat = \"MNEMO_VERSION', '(.+)'\";\n }\n # - someone updated files but forgot to add a pattern???\n else\n {\n exit(1, strcat(\"don't know how to handle file '\", file));\n }\n\n # Get the version string.\n matches = egrep(pattern:pat, string:res[2]);\n if (\n matches &&\n (\n # nb: add an extra check in the case of the CHANGES file.\n (file == \"/docs/CHANGES\" && \"Mnemo \" >< res[2]) ||\n file != \"/docs/CHANGES\"\n )\n )\n {\n foreach match (split(matches, keep:FALSE))\n {\n item = eregmatch(pattern:pat, string:match);\n if (!isnull(item))\n {\n version = item[1];\n break;\n }\n }\n }\n\n # If the version is known...\n if (!isnull(version))\n {\n if (dir == \"\") dir = \"/\";\n set_kb_item(\n name:string(\"www/\", port, \"/horde_mnemo\"),\n value:string(version, \" under \", dir)\n );\n if (installs[version]) installs[version] += ';' + dir;\n else installs[version] = dir;\n\n register_install(\n app_name:\"Horde Mnemo\",\n path:dir,\n version:version,\n port:port,\n cpe: \"cpe:/a:horde:mnemo_note_manager\");\n\n break;\n }\n }\n }\n # Scan for multiple installations only if the \"Perform thorough tests\" setting is checked.\n if (max_index(keys(installs)) && !thorough_tests) break;\n}\n\n\n# Report findings.\nif (max_index(keys(installs)))\n{\n if (report_verbosity > 0)\n {\n info = \"\";\n n = 0;\n foreach version (sort(keys(installs)))\n {\n info += ' Version : ' + version + '\\n';\n foreach dir (sort(split(installs[version], sep:\";\", keep:FALSE)))\n {\n if (dir == '/') url = dir;\n else url = dir + '/';\n\n info += ' URL : ' + build_url(port:port, qs:url) + '\\n';\n n++;\n }\n info += '\\n';\n }\n\n report = '\\nThe following instance';\n if (n == 1) report += ' of Mnemo was';\n else report += 's of Mnemo were';\n report += ' detected on the remote host :\\n\\n' + info;\n\n security_note(port:port, extra:report);\n }\n else security_note(port);\n}\n", "naslFamily": "CGI abuses", "pluginID": "18133", "cpe": ["cpe:/a:horde:mnemo_note_manager"], "scheme": null}
{"nessus": [{"lastseen": "2021-01-20T11:31:51", "description": "According to its version, the remote installation of Mnemo fails to\nfully sanitize user-supplied input when setting the parent frame's\npage title by JavaScript in 'templates/common-footer.inc'. By\nleveraging this flaw, an attacker may be able to inject arbitrary HTML\nand script code into a user's browser to be executed in the context of\nthe affected website, thereby resulting in the theft of session\ncookies and similar attacks.", "edition": 26, "published": "2005-04-26T00:00:00", "title": "Horde Mnemo common-footer.inc Parent Frame Page XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1320"], "modified": "2005-04-26T00:00:00", "cpe": ["cpe:/a:horde:mnemo"], "id": "HORDE_MNEMO_FOOTER_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/18134", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(18134);\n script_version(\"1.19\");\n\n script_cve_id(\"CVE-2005-1320\");\n script_bugtraq_id(13362);\n\n script_name(english:\"Horde Mnemo common-footer.inc Parent Frame Page XSS\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is prone to a cross-\nsite scripting attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the remote installation of Mnemo fails to\nfully sanitize user-supplied input when setting the parent frame's\npage title by JavaScript in 'templates/common-footer.inc'. By\nleveraging this flaw, an attacker may be able to inject arbitrary HTML\nand script code into a user's browser to be executed in the context of\nthe affected website, thereby resulting in the theft of session\ncookies and similar attacks.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.horde.org/archives/announce/2005/000197.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mnemo 1.1.4 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/04/26\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/04/22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:horde:mnemo\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks for cross-site scripting vulnerability in Mnemo common-footer.inc\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"horde_mnemo_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/horde_mnemo\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n if (ver =~ \"^(0|1\\.(0|1$|1\\.[0-3]([^0-9]|$)))\")\n {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T11:31:51", "description": "The remote server is running Horde or a related project along with one\nor more test scripts. These scripts may leak server-side information\nthat is valuable to an attacker.", "edition": 19, "published": "2003-05-12T00:00:00", "title": "Horde test.php Direct Reqest Information Disclosure", "type": "nessus", "bulletinFamily": "scanner", "cvelist": [], "modified": "2003-05-12T00:00:00", "cpe": ["cpe:/a:horde:horde_application_framework"], "id": "HORDE_TEST_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/11617", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# This script was written by Sverre H. Huseby <shh@thathost.com>\n#\n# See the Nessus Scripts License for details\n#\n# Changes by Tenable:\n# - Revised plugin title (1/08/2009)\n# - Verbose exits, optimization\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(11617);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n\n script_name(english:\"Horde test.php Direct Reqest Information Disclosure\");\n script_summary(english:\"Checks if test.php is available in Horde et al\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that suffers from an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote server is running Horde or a related project along with one\nor more test scripts. These scripts may leak server-side information\nthat is valuable to an attacker.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Delete the affected scripts or make them unreadable by the web server.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/05/12\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:horde:horde_application_framework\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n\n script_copyright(english:\"(C) 2003-2021 Sverre H. Huseby\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\n \"http_version.nasl\",\n \"horde_detect.nasl\",\n \"imp_detect.nasl\", \n \"horde_ingo_detect.nasl\",\n \"horde_mnemo_detect.nasl\",\n \"horde_nag_detect.nasl\",\n \"horde_turba_detect.nasl\"\n );\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\nif (!can_host_php(port:port)) exit(0, \"The web server on port \"+port+ \"does not support PHP\");\n\n\nfiles = make_list(\"/test.php\", \"/test.php3\");\n\n\n# Generate a list of paths to check.\nndirs = 0;\n\napp_keys = make_list(\n \"horde\", \n \"imp\", \n \"horde_ingo\", \n \"horde_mnemo\", \n \"horde_nag\", \n \"horde_turba\"\n);\nforeach app_key (app_keys)\n{\n installs = get_kb_list(string(\"www/\", port, \"/\", app_key));\n if (installs)\n {\n foreach install (installs)\n {\n matches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\n if (!isnull(matches))\n {\n dir = matches[2];\n dirs[ndirs++] = dir;\n }\n }\n }\n}\n\ninfo = \"\";\nforeach d (dirs)\n{\n foreach f (files)\n {\n if (\"/\" == d) url = f;\n else url = string(d, f);\n\n req = http_get(item:url, port:port);\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n\n if (res == NULL)\n exit(1, \"The web server on port \"+port+\" did not answer\");\n\n if (\n 'PHP Version' >< res &&\n (\n 'Horde Version' >< res || \n 'IMP Version' >< res ||\n 'Ingo Version' >< res ||\n 'Mnemo Version' >< res ||\n 'Nag Version' >< res ||\n 'Turba Version' >< res\n )\n )\n {\n info += ' ' + url + '\\n';\n if (!thorough_tests) break;\n }\n }\n if (info && !thorough_tests) break;\n}\n\n\nif (info)\n{\n if (report_verbosity)\n {\n if (max_index(split(info)) > 1) s = \"s\";\n else s = \"\";\n\n report = string(\n \"\\n\",\n \"Nessus discovered the following test script\", s, \" :\\n\",\n \"\\n\",\n info\n );\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
