RHEL 5 : plone (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory plone. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196784);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-7135",
    "CVE-2016-7136",
    "CVE-2016-7137",
    "CVE-2016-7138",
    "CVE-2016-7139",
    "CVE-2016-7140",
    "CVE-2017-1000481",
    "CVE-2017-1000482",
    "CVE-2017-1000483",
    "CVE-2017-1000484",
    "CVE-2020-7936",
    "CVE-2020-7937",
    "CVE-2020-7938",
    "CVE-2020-7939",
    "CVE-2020-7940",
    "CVE-2020-7941",
    "CVE-2022-23599"
  );

  script_name(english:"RHEL 5 : plone (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - plone: privilege escalation for overwriting content without needing write permission (CVE-2020-7941)

  - Directory traversal vulnerability in Plone CMS 5.x through 5.0.6 and 4.2.x through 4.3.11 allows remote
    administrators to read arbitrary files via a .. (dot dot) in the path parameter in a getFile action to
    Plone/++theme++barceloneta/@@plone.resourceeditor.filemanager-actions. (CVE-2016-7135)

  - z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-
    site scripting (XSS) attacks via a crafted GET request. (CVE-2016-7136)

  - Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x
    through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks
    via a URL in the referer parameter to (1)
    %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2)
    folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from
    parameter to /login_form. (CVE-2016-7137)

  - Cross-site scripting (XSS) vulnerability in the URL checking infrastructure in Plone CMS 5.x through
    5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script
    or HTML via a crafted URL. (CVE-2016-7138)

  - Cross-site scripting (XSS) vulnerability in an unspecified page template in Plone CMS 5.x through 5.0.6,
    4.x through 4.3.11, and 3.3.x through 3.3.6 allows remote attackers to inject arbitrary web script or HTML
    via unknown vectors. (CVE-2016-7139)

  - Multiple cross-site scripting (XSS) vulnerabilities in the ZMI page in Zope2 in Plone CMS 5.x through
    5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to inject arbitrary web script
    or HTML via unspecified vectors. (CVE-2016-7140)

  - When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a
    'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried
    to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You
    would login, and get redirected to the site of the attacker, letting you think that you are still on the
    original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks
    are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on
    the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were
    discovered, and fixed with this hotfix. (CVE-2017-1000481)

  - A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and
    have this executed when a visitor click the home page link on the author page. (CVE-2017-1000482)

  - Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1.
    This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the
    hotfix is only relevant for Plone 4 and 5. (CVE-2017-1000483)

  - By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own
    website. On its own this is not so bad: the attacker could more easily link directly to his own website
    instead. But in combination with another attack, you could be sent to the Plone login form and login, then
    get redirected to the specific url, and then get a second redirect to the attacker website. (The specific
    url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by
    spelling it out here.) (CVE-2017-1000484)

  - An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an
    attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to
    an attacker's site. (CVE-2020-7936)

  - An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to
    insert JavaScript that will be executed when other users access the site. (CVE-2020-7937)

  - plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their
    privileges up to the highest level. (CVE-2020-7938)

  - SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted
    SQL queries. (This is a problem in Zope.) (CVE-2020-7939)

  - Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak
    passwords, leading to easier cracking. (CVE-2020-7940)

  - Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are
    dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site
    scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen
    page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can
    get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this
    depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a
    fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen
    page is not stored in the cache. More information about the vulnerability and cvmitigation measures is
    available in the GitHub Security Advisory. (CVE-2022-23599)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-7941");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:conga");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'conga', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'conga'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'conga');
}