6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.048 Low
EPSS
Percentile
92.7%
The remote host is running a proxy web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user’s browser within the security context of the affected site.
#
# (C) Tenable Network Security, Inc.
#
#
# Source: cross_site_scripting.nasl
#
include("compat.inc");
if (description)
{
script_id(11634);
script_version("1.19");
script_cvs_date("Date: 2018/07/25 18:58:06");
script_cve_id("CVE-2003-0292");
script_bugtraq_id(7596);
script_name(english:"Proxy Web Server XSS");
script_summary(english:"Determine if the remote proxy is affected by a cross-site scripting vulnerability");
script_set_attribute(attribute:"synopsis", value:
"The remote proxy server is prone to cross-site scripting attacks." );
script_set_attribute(attribute:"description", value:
"The remote host is running a proxy web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site." );
script_set_attribute(attribute:"solution", value:
"Contact the vendor for a patch or upgrade." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/19");
script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
script_dependencies("find_service1.nasl", "httpver.nasl");
script_require_ports("Services/www", "Services/http_proxy", 8080);
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
exts = make_list(".jsp", ".shtml", ".thtml", ".cfm");
xss = "<SCRIPT>alert('Vulnerable')</SCRIPT>";
port = get_kb_item("Services/http_proxy");
if (! port) port = 3128;
if (! get_port_state(port)) exit(0, "Port "+port+" is closed.");
foreach e (exts)
{
rq = http_mk_proxy_request(scheme: "http", method: "GET", item: "/"+xss+e,
host: "xxxxxxxxxxx.", port: 80, version: 10);
w = http_send_recv_req(port:port, req: rq, exit_on_fail: 1);
txt = extract_pattern_from_resp(string: w[2], pattern: xss, code: "ST:");
if (strlen(txt) > 0)
{
set_kb_item(name: "www_proxy/"+port+"/generic_xss", value:TRUE);
if (report_verbosity <= 0)
security_warning(port: port);
else
{
e = '\nThe following request :\n\n' + crap(data: '-', length: 66) +'\n';
e += http_last_sent_request();
e += crap(data: '-', length: 66) +'\n\nproduced the following XSS :\n\n';
e += crap(data: '-', length: 66) + '\n';
e += txt;
e += crap(data: '-', length: 66) + '\n';
security_warning(port: port, extra: e);
}
exit(0);
}
}
exit(0, "The remote proxy on port "+port+" is not vulnerable.");