Oracle Application Express (Apex) CVE-2011-3525

# ---------------------------------------------------------------------------------
# (c) Recx Ltd 2009-2012
# http://www.recx.co.uk/
#
# Detection script for CVE-2011-3525
# Ref: https://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html
# Oracle Application Express v3.2 < x < v4.1
#
#   Unspecified vulnerability in the Application Express component in Oracle
#   Database Server 3.2 and 4.0 that allows remote authenticated users to affect
#   confidentiality, integrity, and availability, related to Apex developer user.
#
# Version 1.0
# ---------------------------------------------------------------------------------

include("compat.inc");

if (description)
{
  script_id(64712);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2011-3525");
  script_bugtraq_id(50197);

  script_name(english:"Oracle Application Express (Apex) CVE-2011-3525");
  script_summary(english:"Checks whether vulnerable to CVE-2011-3525");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a vulnerable version of Oracle Apex.");
  script_set_attribute(attribute:"description", value:
"An unspecified vulnerability in versions 3.2 and 4.0 of the
Application Express (Apex) component of the Oracle Database Server
allows remote, authenticated users to affect confidentiality,
integrity, and availability, relating to the Apex developer user.");
  script_set_attribute(attribute:"see_also", value:"http://www.oracle.com/technetwork/developer-tools/apex/index.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html");
  script_set_attribute(attribute:"see_also", value:"https://www.recx.co.uk/downloads/Recx-Apex-CVE-2011-3525.pdf");
  script_set_attribute(attribute:"solution", value:
"Upgrade Application Express to at least version 4.1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_express");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2013-2020 Recx Ltd.");

  script_dependencies("oracle_apex_detect_version.nasl");
  script_require_keys("Oracle/Apex");
  script_require_ports("Services/www", 8080, 80, 443);

  exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

function raise_finding(port, report)
{
  if(report_verbosity > 0)
    security_warning(port:port, extra:report);
  else security_warning(port);
}

port = get_http_port(default:8080, embedded:TRUE);

if (!get_port_state(port)) exit(0, "Port " + port + " is not open.");

version = get_kb_item("Oracle/Apex/"+port+"/Version");
if(!version) exit(0, "The 'Oracle/Apex/" + port + "/Version' KB item is not set.");

location = get_kb_item("Oracle/Apex/" + port + "/Location");
if(!location) exit(0, "The 'Oracle/Apex/" + port + "/Location' KB item is not set.");
url = build_url(qs:location, port:port);

if (version == "3.2" || version == "3.2.1" || version == "4.0" || version == "4.0.1" || version == "4.0.2")
{
  report = '\n  URL               : ' + url +
           '\n  Installed version : ' + version +
           '\n  Fixed version     : 4.1' + '\n';
  raise_finding(port:port, report:report);
  exit(0);
}

exit(0, "The Oracle Apex install at " + url + " is version " + version + " and is not affected.");