Lucene search
K

RoboHelp Server Multiple XSS (APSB09-02 Update 2)

🗓️ 26 Feb 2009 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 28 Views

RoboHelp Server Missing Update

Related
Refs
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2009-0523
26 Feb 200916:00
cve
Cvelist
CVE-2009-0523
26 Feb 200916:00
cvelist
EUVD
EUVD-2009-0527
7 Oct 202500:30
euvd
NVD
CVE-2009-0523
26 Feb 200916:17
nvd
Prion
Cross site scripting
26 Feb 200916:17
prion
seebug.org
Adobe RoboHelp和RoboHelp Server多个跨站脚本漏洞
27 Feb 200900:00
seebug
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(35737);
  script_version("1.11");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id("CVE-2009-0523");
  script_bugtraq_id(33887);
  script_xref(name:"Secunia", value:"34048");

  script_name(english:"RoboHelp Server Multiple XSS (APSB09-02 Update 2)");
  script_summary(english:"Checks for patched files");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by
multiple cross-site scripting vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"Adobe RoboHelp Server version 6 or 7 is installed on the remote host,
and it is missing updates included with Adobe security advisory
'APSB09-02 Update 2' involving the files 'redirect.asp',
'Report_Template.asp' and 'SQL_Lib.asp'. Provided an attacker has
access to 'RoboHelp Help Errors log' or is able to trick an user with
access to 'RoboHelp Help Errors log' to click on a malicious link, it
may be possible for him to execute arbitrary HTML and script code in
the victim's browser session.");
  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb09-02.html");
  script_set_attribute(attribute:"solution", value:"Apply the patch referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(79);

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:robohelp_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("smb_func.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(1, "KB 'SMB/Registry/Enumerated' not set to TRUE.");


# Connect to the appropriate share.
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,"IPC$");
}

# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  audit(AUDIT_REG_FAIL);
}

# Make sure it's installed.
path = NULL;

key = "SOFTWARE\Adobe\RoboHelp Server";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  info = RegQueryInfoKey(handle:key_h);
  for (i=0; i<info[1]; ++i)
  {
    subkey = RegEnumKey(handle:key_h, index:i);
    if (strlen(subkey) && subkey =~ "^[0-9]+\.")
    {
      key2 = key + "\" + subkey + "\System";
      key2_h = RegOpenKey(handle:hklm, key:key2, mode:MAXIMUM_ALLOWED);
      if (!isnull(key2_h))
      {
        item = RegQueryValue(handle:key2_h, item:"InstallPath");
        if (!isnull(item))
        {
          path = item[1];
          path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
        }
        RegCloseKey(handle:key2_h);
      }
    }
  }
  RegCloseKey (handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0);
}

# Determine the version of Robo.dll.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
dll = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\bin\Robo.dll", string:path);
NetUseDel(close:FALSE);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,share);
}

fh = CreateFile(
  file:dll,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);

ver = NULL;
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}

vuln = FALSE;
# If it's an affected version...
if (
  !isnull(ver) &&
  (
    (ver[0] == 7) || (ver[0] == 6)
  )
)
{
  # Check if each affected file has been patched.
  files = make_list(
    "redirect.asp",
    "Report_Template.asp",
    "SQL_Lib.asp"
  );

  foreach file (files)
  {
    asp = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Reports\"+file, string:path);
    NetUseDel(close:FALSE);

    rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
    if (rc != 1)
    {
      NetUseDel();
      break;
    }

    fh = CreateFile(
      file:asp,
      desired_access:GENERIC_READ,
      file_attributes:FILE_ATTRIBUTE_NORMAL,
      share_mode:FILE_SHARE_READ,
      create_disposition:OPEN_EXISTING
    );
    if (!isnull(fh))
    {
      # Read an initial chunk.
      chunk = 35000;
      size = GetFileSize(handle:fh);
      if (size > 0)
      {
        if (chunk > size) chunk = size;
        data = ReadFile(handle:fh, length:chunk, offset:0);

        if(data)
        {
          if (
            file == 'redirect.asp' &&
            'if (<%=bSafe%>)' >!< data
          ) vuln = TRUE;
          else if (
            file == 'Report_Template.asp' &&
            'function escapeForXSS' >!< data
          ) vuln = TRUE;
          else if (
            file == 'SQL_Lib.asp' &&
            'escapeForXSS(' >!< data
          ) vuln = TRUE;
        }
      }
      CloseFile(handle:fh);

      if (vuln) break;
    }
  }
}
NetUseDel();

# Report if an issue was found.
if (vuln)
{
  set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
  security_warning(port);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Nov 2018 20:50Current
6.1Medium risk
Vulners AI Score6.1
CVSS 24.3
EPSS0.02078
28