Tenable SecurityCenter 5.0.2 Audit File XSS (TNS-2015-12)

2016-03-16T00:00:00
ID SECURITYCENTER_5_2_0_AUDIT_XSS.NASL
Type nessus
Reporter Tenable
Modified 2018-12-14T00:00:00

Description

According to its version, the Tenable SecurityCenter application installed on the remote host is affected by a cross-site scripting (XSS) vulnerability due to improper validation of uploaded .audit files before they are rendered on the scan results page. An authenticated, remote attacker can exploit this, via a crafted .audit file that is later viewed by an administrator, to execute arbitrary code in the user's browser session.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #TRUSTED 74de93c473401ef2b4d39518231816c5c044d161f86b2becb8e090b1243836953b68ff7c4b3630c4ba094739479bc536108ccd90a7ffe4afdd3c85b59e063bb6dcbce7ac2a03e271d8f079af2a49412406df935af2e3d0e77a0cbf952b51ff493886b625eb9279eaf756fc025ca82ca253d28bf4dcefa0379363165f8c09a0dfc2e97d15f52b2df2a9e3503a5bc212a6d696b257029bb18426159f0ea4b78c69dc34ed1d640f80575746a6da07a1ef5f879d64db2690b5f6d3ddf833a2080719591f17bfb957590aa765e412180a44997aae8009c43edbc8b3b3513e9c216ba69fb44ace205fc4f611605d5d35192e6a83d2fb523e84465468a91ef288142a7fdc6560dfc321d13ea5d907ebde59c109bd3945e4c53f865111f33935fa1daf71c23c2fc1867d922948610aef678b57a66b5c099fb9dd69aa453048b0df0308115f093758d21f5d309a365838832215f59cf68405f000e2280db1e7686a7b8840c158c117dc11aca91e3985767ee913e3b522e982d860b2d38e3e5602196f663d44016c402adc7f0da2e1d94d30e7d9462b5bb5aa190f41fc9652b87197c7a639984eeeeab39c3b641cadcbd14a776c37203de07b9b18362be4e41f7b79d891ba6c643c1b0008b7b6e074d9504bbacae99123959f2d9d6e48356823c334f48ddc2ff186502cd2844eef65aebc160cc2c951b24c31611556e079ad39704bae7e62
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89963);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/12/14");

  script_cve_id("CVE-2015-8503");

  script_name(english:"Tenable SecurityCenter 5.0.2 Audit File XSS (TNS-2015-12)");
  script_summary(english:"Checks the SecurityCenter version.");

  script_set_attribute(attribute:"synopsis", value:
"The application installed on the remote host is affected by a
cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its version, the Tenable SecurityCenter application
installed on the remote host is affected by a cross-site scripting
(XSS) vulnerability due to improper validation of uploaded .audit
files before they are rendered on the scan results page. An
authenticated, remote attacker can exploit this, via a crafted .audit
file that is later viewed by an administrator, to execute arbitrary
code in the user's browser session.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-12");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Tenable SecurityCenter version 5.2.0.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8503");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin");
  script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

version = get_kb_item("Host/SecurityCenter/Version");
port = 0;
if(empty_or_null(version))
{
  port = 443;
  install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE);
  version = install["version"];
}

# Affects 5.0.2
if (version == "5.0.2")
{
  set_kb_item(name:'www/0/XSS', value:TRUE);
  report_items = make_array(
    "Installed version", version,
    "Fixed version", "5.2.0"
  );
  report = report_items_str(report_items:report_items);
  security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);
}
else audit(AUDIT_INST_VER_NOT_VULN, 'SecurityCenter', version);