ID VIEWVC_INVALID_PARAM_INJECTION.NASL Type nessus Reporter Tenable Modified 2018-08-08T00:00:00
Description
The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.
According to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(42348);
script_version("1.15");
script_cvs_date("Date: 2018/08/08 12:52:13");
script_bugtraq_id(36035);
script_name(english:"ViewVC Invalid Parameter Arbitrary HTML Injection");
script_summary(english:"Tries a non-persistent injection attack");
script_set_attribute( attribute:"synopsis", value:
"An application running on the remote web server has an HTML injection
vulnerability." );
script_set_attribute( attribute:"description", value:
"The version of ViewVC hosted on the remote host is vulnerable to a
HTML injection attack. Requesting a URL with an invalid parameter
name in the query string generates an error message that echoes back
the parameter name. Any URLs included in the invalid parameter name
become hyperlinks. A remote attacker could trick a user into
requesting a malicious URL to facilitate a social engineering attempt.
According to some reports, there is also an unrelated cross-site
scripting issue in this version of ViewVC, though Nessus has not
checked for that." );
# http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?846e7b9b");
# http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?66b6cc34"
);
script_set_attribute(attribute:"solution", value:"Upgrade to ViewVC 1.0.9 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/06");
script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:viewvc:viewvc");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
script_dependencies("viewvc_detect.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/viewvc");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
port = get_http_port(default:80);
install = get_install_from_kb(appname:'viewvc', port:port);
if (isnull(install)) exit(0, "ViewVC wasn't detected on port " + port);
# Create/encode the injection attack
params = string(
SCRIPT_NAME,
'") was passed as a parameter. Visit http://www.example.com/ ',
'to figure out why ("', SCRIPT_NAME, '=', unixtime()
);
# Shouldn't encode : / or =
unreserved = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=";
encoded_params = urlencode(str:params, unreserved:unreserved);
expected_output = string(
'Visit <a href="http://www.example.com/">http://www.example.com/</a> ',
'to figure out why ("', SCRIPT_NAME, '") was passed.'
);
# Make the GET request and see if injection worked
url = string(install['dir'], '/?', encoded_params);
res = http_send_recv3(method:"GET", item:url, port:port);
if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond.");
if (expected_output >< res[2])
{
set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
if (report_verbosity > 0)
{
report = get_vuln_report(items:url, port:port);
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
else exit(0, "The ViewVC install at "+build_url(port:port, qs:install['dir']+"/")+" is not affected.");
{"id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "bulletinFamily": "scanner", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "description": "The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.", "published": "2009-11-03T00:00:00", "modified": "2018-08-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=42348", "reporter": "Tenable", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "cvelist": [], "type": "nessus", "lastseen": "2018-08-10T17:24:06", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.", "edition": 1, "enchantments": {}, "hash": "21db8844e7e3aaaaa98734e939be99f47a74b1e3f88239dfdb8f93c71fad897b", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "988977a7bcd9de97dfafb879897b8fa6", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "73d9c7d2db90aa0822a391920474f3e2", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "28cd74cbb82c12ccf69836d2e205220a", "key": "sourceData"}, {"hash": "124ff91a91c4ba738ad062c3647fdf84", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "ff6dd49c61b1196959dab66bc076dd68", "key": "title"}, {"hash": "28033c5e0bf0c5f1073dc8996f5a8c76", "key": "modified"}, {"hash": "95715b554ac83b7bbdcb906d1adb084d", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "cfda673d6aeebf8cf6594c3e21bca55e", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=42348", "id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "lastseen": "2016-09-26T17:25:45", "modified": "2016-05-09T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.2", "pluginID": "42348", "published": "2009-11-03T00:00:00", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2016/05/09 15:53:03 $\");\n\n script_bugtraq_id(36035);\n script_osvdb_id(70138);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:25:45"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:viewvc:viewvc"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.", "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "9b3799a9e65e8491771a5c7606157b30df40e3ccb547d85bff6d89f5b5b934b8", "hashmap": [{"hash": "3e1fa0e74d6a669571160007fdb505dc", "key": "cpe"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "988977a7bcd9de97dfafb879897b8fa6", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "73d9c7d2db90aa0822a391920474f3e2", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "28cd74cbb82c12ccf69836d2e205220a", "key": "sourceData"}, {"hash": "124ff91a91c4ba738ad062c3647fdf84", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "ff6dd49c61b1196959dab66bc076dd68", "key": "title"}, {"hash": "28033c5e0bf0c5f1073dc8996f5a8c76", "key": "modified"}, {"hash": "95715b554ac83b7bbdcb906d1adb084d", "key": "references"}, {"hash": "cfda673d6aeebf8cf6594c3e21bca55e", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=42348", "id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "lastseen": "2017-10-29T13:42:16", "modified": "2016-05-09T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.3", "pluginID": "42348", "published": "2009-11-03T00:00:00", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2016/05/09 15:53:03 $\");\n\n script_bugtraq_id(36035);\n script_osvdb_id(70138);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:42:16"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "3e1fa0e74d6a669571160007fdb505dc"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "988977a7bcd9de97dfafb879897b8fa6"}, {"key": "href", "hash": "124ff91a91c4ba738ad062c3647fdf84"}, {"key": "modified", "hash": "63329048f010c87d85370bb01ea70b93"}, {"key": "naslFamily", "hash": "61e021375865ee20d8f9e2562510b86f"}, {"key": "pluginID", "hash": "73d9c7d2db90aa0822a391920474f3e2"}, {"key": "published", "hash": "cfda673d6aeebf8cf6594c3e21bca55e"}, {"key": "references", "hash": "95715b554ac83b7bbdcb906d1adb084d"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "a40dae96a0fe4f82aa2ddebd42240ec0"}, {"key": "title", "hash": "ff6dd49c61b1196959dab66bc076dd68"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "d29607b00915c84ad9c385ca078ea407bb23975f33aa3147aa09c1f887e72505", "viewCount": 0, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "vulnersScore": 4.3}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/08/08 12:52:13\");\n\n script_bugtraq_id(36035);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "naslFamily": "CGI abuses : XSS", "pluginID": "42348", "cpe": ["cpe:/a:viewvc:viewvc"]}
