ID VIEWVC_INVALID_PARAM_INJECTION.NASL Type nessus Reporter This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2019-11-02T00:00:00
Description
The version of ViewVC hosted on the remote host is vulnerable to a
HTML injection attack. Requesting a URL with an invalid parameter
name in the query string generates an error message that echoes back
the parameter name. Any URLs included in the invalid parameter name
become hyperlinks. A remote attacker could trick a user into
requesting a malicious URL to facilitate a social engineering attempt.
According to some reports, there is also an unrelated cross-site
scripting issue in this version of ViewVC, though Nessus has not
checked for that.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(42348);
script_version("1.16");
script_cvs_date("Date: 2018/11/28 22:47:41");
script_bugtraq_id(36035);
script_name(english:"ViewVC Invalid Parameter Arbitrary HTML Injection");
script_summary(english:"Tries a non-persistent injection attack");
script_set_attribute( attribute:"synopsis", value:
"An application running on the remote web server has an HTML injection
vulnerability." );
script_set_attribute( attribute:"description", value:
"The version of ViewVC hosted on the remote host is vulnerable to a
HTML injection attack. Requesting a URL with an invalid parameter
name in the query string generates an error message that echoes back
the parameter name. Any URLs included in the invalid parameter name
become hyperlinks. A remote attacker could trick a user into
requesting a malicious URL to facilitate a social engineering attempt.
According to some reports, there is also an unrelated cross-site
scripting issue in this version of ViewVC, though Nessus has not
checked for that." );
# http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?846e7b9b");
# http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?66b6cc34"
);
script_set_attribute(attribute:"solution", value:"Upgrade to ViewVC 1.0.9 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/06");
script_set_attribute(attribute:"patch_publication_date", value:"2009/08/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:viewvc:viewvc");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("viewvc_detect.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/viewvc");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
port = get_http_port(default:80);
install = get_install_from_kb(appname:'viewvc', port:port);
if (isnull(install)) exit(0, "ViewVC wasn't detected on port " + port);
# Create/encode the injection attack
params = string(
SCRIPT_NAME,
'") was passed as a parameter. Visit http://www.example.com/ ',
'to figure out why ("', SCRIPT_NAME, '=', unixtime()
);
# Shouldn't encode : / or =
unreserved = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=";
encoded_params = urlencode(str:params, unreserved:unreserved);
expected_output = string(
'Visit <a href="http://www.example.com/">http://www.example.com/</a> ',
'to figure out why ("', SCRIPT_NAME, '") was passed.'
);
# Make the GET request and see if injection worked
url = string(install['dir'], '/?', encoded_params);
res = http_send_recv3(method:"GET", item:url, port:port);
if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond.");
if (expected_output >< res[2])
{
set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
if (report_verbosity > 0)
{
report = get_vuln_report(items:url, port:port);
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
else exit(0, "The ViewVC install at "+build_url(port:port, qs:install['dir']+"/")+" is not affected.");
{"id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "bulletinFamily": "scanner", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "description": "The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.", "published": "2009-11-03T00:00:00", "modified": "2019-11-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/nessus/42348", "reporter": "This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "cvelist": [], "type": "nessus", "lastseen": "2019-11-03T12:38:22", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:viewvc:viewvc"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.", "edition": 4, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "33b85e1a899ffa7798c0516db6a492ec4096d567fa0598a1204a1370fbc9e478", "hashmap": [{"hash": "bbb19f56ce59c632312fe0e6f03eae5c", "key": "sourceData"}, {"hash": "3e1fa0e74d6a669571160007fdb505dc", "key": "cpe"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "988977a7bcd9de97dfafb879897b8fa6", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "460b12446c99e9f96de9e7fe92f5d167", "key": "modified"}, {"hash": "73d9c7d2db90aa0822a391920474f3e2", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "124ff91a91c4ba738ad062c3647fdf84", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "ff6dd49c61b1196959dab66bc076dd68", "key": "title"}, {"hash": "95715b554ac83b7bbdcb906d1adb084d", "key": "references"}, {"hash": "cfda673d6aeebf8cf6594c3e21bca55e", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=42348", "id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "lastseen": "2018-11-29T19:37:26", "modified": "2018-11-28T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.3", "pluginID": "42348", "published": "2009-11-03T00:00:00", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_bugtraq_id(36035);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 4, "lastseen": "2018-11-29T19:37:26"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:viewvc:viewvc"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.", "edition": 7, "enchantments": {"dependencies": {"modified": "2019-10-28T21:42:13", "references": [{"idList": ["VIEWVC_DETECT.NASL"], "type": "nessus"}]}, "score": {"modified": "2019-10-28T21:42:13", "value": 0.7, "vector": "NONE"}}, "hash": "1733c9af92e662ac72ce9131a1b7f5eddb1caae5c1ae3f8dc988e512598b2b03", "hashmap": [{"hash": "d64f5cf88d6bc528abe9eaa30133f1b0", "key": "href"}, {"hash": "bbb19f56ce59c632312fe0e6f03eae5c", "key": "sourceData"}, {"hash": "3e1fa0e74d6a669571160007fdb505dc", "key": "cpe"}, {"hash": "22622c18846007e85ea7767c59effe24", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "73d9c7d2db90aa0822a391920474f3e2", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "ff6dd49c61b1196959dab66bc076dd68", "key": "title"}, {"hash": "95715b554ac83b7bbdcb906d1adb084d", "key": "references"}, {"hash": "de6cee9231854fc947084d2aa361f470", "key": "reporter"}, {"hash": "cfda673d6aeebf8cf6594c3e21bca55e", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/42348", "id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "lastseen": "2019-10-28T21:42:13", "modified": "2019-10-02T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.3", "pluginID": "42348", "published": "2009-11-03T00:00:00", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "reporter": "This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_bugtraq_id(36035);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["modified"], "edition": 7, "lastseen": "2019-10-28T21:42:13"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:viewvc:viewvc"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-02-21T01:12:39", "references": [{"idList": ["VIEWVC_DETECT.NASL"], "type": "nessus"}]}, "score": {"modified": "2019-02-21T01:12:39", "value": 0.7, "vector": "NONE"}}, "hash": "33b85e1a899ffa7798c0516db6a492ec4096d567fa0598a1204a1370fbc9e478", "hashmap": [{"hash": "bbb19f56ce59c632312fe0e6f03eae5c", "key": "sourceData"}, {"hash": "3e1fa0e74d6a669571160007fdb505dc", "key": "cpe"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "988977a7bcd9de97dfafb879897b8fa6", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "460b12446c99e9f96de9e7fe92f5d167", "key": "modified"}, {"hash": "73d9c7d2db90aa0822a391920474f3e2", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "124ff91a91c4ba738ad062c3647fdf84", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "ff6dd49c61b1196959dab66bc076dd68", "key": "title"}, {"hash": "95715b554ac83b7bbdcb906d1adb084d", "key": "references"}, {"hash": "cfda673d6aeebf8cf6594c3e21bca55e", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=42348", "id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "lastseen": "2019-02-21T01:12:39", "modified": "2018-11-28T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.3", "pluginID": "42348", "published": "2009-11-03T00:00:00", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_bugtraq_id(36035);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["description", "reporter", "modified", "href"], "edition": 6, "lastseen": "2019-02-21T01:12:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.", "edition": 1, "enchantments": {}, "hash": "21db8844e7e3aaaaa98734e939be99f47a74b1e3f88239dfdb8f93c71fad897b", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "988977a7bcd9de97dfafb879897b8fa6", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "73d9c7d2db90aa0822a391920474f3e2", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "28cd74cbb82c12ccf69836d2e205220a", "key": "sourceData"}, {"hash": "124ff91a91c4ba738ad062c3647fdf84", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "ff6dd49c61b1196959dab66bc076dd68", "key": "title"}, {"hash": "28033c5e0bf0c5f1073dc8996f5a8c76", "key": "modified"}, {"hash": "95715b554ac83b7bbdcb906d1adb084d", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "cfda673d6aeebf8cf6594c3e21bca55e", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=42348", "id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "lastseen": "2016-09-26T17:25:45", "modified": "2016-05-09T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.2", "pluginID": "42348", "published": "2009-11-03T00:00:00", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2016/05/09 15:53:03 $\");\n\n script_bugtraq_id(36035);\n script_osvdb_id(70138);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:25:45"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:viewvc:viewvc"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.", "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "9b3799a9e65e8491771a5c7606157b30df40e3ccb547d85bff6d89f5b5b934b8", "hashmap": [{"hash": "3e1fa0e74d6a669571160007fdb505dc", "key": "cpe"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "988977a7bcd9de97dfafb879897b8fa6", "key": "description"}, {"hash": "61e021375865ee20d8f9e2562510b86f", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "73d9c7d2db90aa0822a391920474f3e2", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "28cd74cbb82c12ccf69836d2e205220a", "key": "sourceData"}, {"hash": "124ff91a91c4ba738ad062c3647fdf84", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "ff6dd49c61b1196959dab66bc076dd68", "key": "title"}, {"hash": "28033c5e0bf0c5f1073dc8996f5a8c76", "key": "modified"}, {"hash": "95715b554ac83b7bbdcb906d1adb084d", "key": "references"}, {"hash": "cfda673d6aeebf8cf6594c3e21bca55e", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=42348", "id": "VIEWVC_INVALID_PARAM_INJECTION.NASL", "lastseen": "2017-10-29T13:42:16", "modified": "2016-05-09T00:00:00", "naslFamily": "CGI abuses : XSS", "objectVersion": "1.3", "pluginID": "42348", "published": "2009-11-03T00:00:00", "references": ["http://www.nessus.org/u?846e7b9b", "http://www.nessus.org/u?66b6cc34"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2016/05/09 15:53:03 $\");\n\n script_bugtraq_id(36035);\n script_osvdb_id(70138);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "title": "ViewVC Invalid Parameter Arbitrary HTML Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:42:16"}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "3e1fa0e74d6a669571160007fdb505dc"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "22622c18846007e85ea7767c59effe24"}, {"key": "href", "hash": "d64f5cf88d6bc528abe9eaa30133f1b0"}, {"key": "modified", "hash": "abcf9266f425f12dda38f529cd4a94bc"}, {"key": "naslFamily", "hash": "61e021375865ee20d8f9e2562510b86f"}, {"key": "pluginID", "hash": "73d9c7d2db90aa0822a391920474f3e2"}, {"key": "published", "hash": "cfda673d6aeebf8cf6594c3e21bca55e"}, {"key": "references", "hash": "95715b554ac83b7bbdcb906d1adb084d"}, {"key": "reporter", "hash": "de6cee9231854fc947084d2aa361f470"}, {"key": "sourceData", "hash": "bbb19f56ce59c632312fe0e6f03eae5c"}, {"key": "title", "hash": "ff6dd49c61b1196959dab66bc076dd68"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "13e0315d56afc8dad788322dd9524b96e282d764251fb79881560f76da588f2f", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["VIEWVC_DETECT.NASL"]}], "modified": "2019-11-03T12:38:22"}, "score": {"value": 0.7, "vector": "NONE", "modified": "2019-11-03T12:38:22"}, "vulnersScore": 0.7}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42348);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_bugtraq_id(36035);\n\n script_name(english:\"ViewVC Invalid Parameter Arbitrary HTML Injection\");\n script_summary(english:\"Tries a non-persistent injection attack\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"An application running on the remote web server has an HTML injection\nvulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of ViewVC hosted on the remote host is vulnerable to a\nHTML injection attack. Requesting a URL with an invalid parameter\nname in the query string generates an error message that echoes back\nthe parameter name. Any URLs included in the invalid parameter name\nbecome hyperlinks. A remote attacker could trick a user into\nrequesting a malicious URL to facilitate a social engineering attempt.\n\nAccording to some reports, there is also an unrelated cross-site\nscripting issue in this version of ViewVC, though Nessus has not\nchecked for that.\" );\n # http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2219\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?846e7b9b\");\n # http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?revision=2242&view=markup\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66b6cc34\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to ViewVC 1.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"viewvc_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/viewvc\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'viewvc', port:port);\nif (isnull(install)) exit(0, \"ViewVC wasn't detected on port \" + port);\n\n# Create/encode the injection attack\nparams = string(\n SCRIPT_NAME,\n '\") was passed as a parameter. Visit http://www.example.com/ ',\n 'to figure out why (\"', SCRIPT_NAME, '=', unixtime()\n);\n\n# Shouldn't encode : / or =\nunreserved = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.!~*'()-]:/=\";\nencoded_params = urlencode(str:params, unreserved:unreserved);\n\nexpected_output = string(\n 'Visit <a href=\"http://www.example.com/\">http://www.example.com/</a> ',\n 'to figure out why (\"', SCRIPT_NAME, '\") was passed.'\n);\n\n\n# Make the GET request and see if injection worked\nurl = string(install['dir'], '/?', encoded_params);\nres = http_send_recv3(method:\"GET\", item:url, port:port);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (expected_output >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(items:url, port:port);\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse exit(0, \"The ViewVC install at \"+build_url(port:port, qs:install['dir']+\"/\")+\" is not affected.\");\n", "naslFamily": "CGI abuses : XSS", "pluginID": "42348", "cpe": ["cpe:/a:viewvc:viewvc"], "scheme": null}
{"nessus": [{"lastseen": "2019-11-23T13:13:24", "bulletinFamily": "scanner", "description": "The remote host is running ViewVC, a web-based tool for browsing CVS\nand Subversion repositories.", "modified": "2019-11-02T00:00:00", "id": "VIEWVC_DETECT.NASL", "href": "https://www.tenable.com/plugins/nessus/42347", "published": "2009-11-03T00:00:00", "title": "ViewVC Detection", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42347);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_name(english:\"ViewVC Detection\");\n script_summary(english:\"Looks for ViewVC\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"The remote web server is running a version control repository browser\nwritten in Python.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is running ViewVC, a web-based tool for browsing CVS\nand Subversion repositories.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.viewvc.org/\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewvc:viewvc\");\n script_set_attribute(attribute:\"asset_inventory\", value:\"True\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:80);\n\ninstalls = NULL;\npattern = '<meta name=\"generator\" content=\"ViewVC ([0-9.]+)\" />';\ndirs = cgi_dirs();\n\n# The ViewVC INSTALL file has instructions for serving the app out the\n# following locations\nif (thorough_tests)\n{\n dirs = make_list(dirs, '/viewvc', '/cgi-bin/viewvc.cgi', '/viewvc.cgi');\n dirs = list_uniq(dirs);\n}\n\nforeach dir (dirs)\n{\n url = string(dir, '/');\n res = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail: 1);\n\n match = eregmatch(string:res[2], pattern:pattern, icase:TRUE);\n if (match)\n {\n installs = add_install(\n installs:installs,\n dir:dir,\n ver:match[1],\n appname:'viewvc',\n port:port,\n cpe: \"cpe:/a:viewvc:viewvc\"\n );\n\n if (!thorough_tests) break;\n }\n}\n\nif (isnull(installs)) exit(0, \"ViewVC wasn't detected on port \"+port+\".\");\n\nif (report_verbosity > 0)\n{\n report = get_install_report(\n display_name:'ViewVC',\n installs:installs,\n port:port\n );\n security_note(port:port, extra:report);\n}\nelse security_note(port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
