Mandrake Linux Security Advisory : xchat (MDKSA-2000:039-1)

2012-09-06T00:00:00
ID MANDRAKE_MDKSA-2000-039.NASL
Type nessus
Reporter Tenable
Modified 2013-05-31T00:00:00

Description

XChat 1.3.9 and later allow users to right-click on a URL appearing in an IRC discussion and select the 'Open in Browser' option. To open the URL in a browser, XChat passes the command to /bin/sh. This allows a malicious URL the ability to execute arbitrary shell commands as the user that is running XChat. This update changes the functionality of XChat to bypass the shell and execute the browser directly. Thanks go to Red Hat for providing the patch.

Update :

XChat 1.2.1 is vulnerable as well, so an update for 7.0 is now available.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2000:039. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(61832);
  script_version("$Revision: 1.3 $");
  script_cvs_date("$Date: 2013/05/31 23:43:24 $");

  script_xref(name:"MDKSA", value:"2000:039-1");

  script_name(english:"Mandrake Linux Security Advisory : xchat (MDKSA-2000:039-1)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Mandrake Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"XChat 1.3.9 and later allow users to right-click on a URL appearing in
an IRC discussion and select the 'Open in Browser' option. To open the
URL in a browser, XChat passes the command to /bin/sh. This allows a
malicious URL the ability to execute arbitrary shell commands as the
user that is running XChat. This update changes the functionality of
XChat to bypass the shell and execute the browser directly. Thanks go
to Red Hat for providing the patch.

Update :

XChat 1.2.1 is vulnerable as well, so an update for 7.0 is now
available."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected xchat package.");
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xchat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2000/08/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"xchat-1.4.1-4mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");