Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.WWW_EXPECT_XSS.NASL
HistoryAug 23, 2006 - 12:00 a.m.

Web Server Expect Header XSS

2006-08-2300:00:00
This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
180
JSON

The remote web server fails to sanitize the contents of an ‘Expect’ request header before using it to generate dynamic web content. An unauthenticated, remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially crafted ShockWave (SWF) files.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22254);
  script_version("1.32");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2006-3918", "CVE-2007-5944");
  script_bugtraq_id(19661, 26457);

  script_name(english:"Web Server Expect Header XSS");
  script_summary(english:"Checks for an XSS flaw involving Expect Headers");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to a cross-site scripting attack.");
  script_set_attribute(attribute:"description", value:
"The remote web server fails to sanitize the contents of an 'Expect'
request header before using it to generate dynamic web content.  An
unauthenticated, remote attacker may be able to leverage this issue to
launch cross-site scripting attacks against the affected service,
perhaps through specially crafted ShockWave (SWF) files.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/May/150");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/May/440");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2006/Jul/423");
  script_set_attribute(attribute:"see_also", value:"http://www.apache.org/dist/httpd/CHANGES_2.2");
  script_set_attribute(attribute:"see_also", value:"http://www.apache.org/dist/httpd/CHANGES_2.0");
  script_set_attribute(attribute:"see_also", value:"http://www.apache.org/dist/httpd/CHANGES_1.3");
  script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631");
  script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg24017314");
  script_set_attribute(attribute:"solution", value:
"Check with the vendor for an update to the web server.  For Apache,
the issue is reportedly fixed by versions 1.3.35 / 2.0.57 / 2.2.2; for
IBM HTTP Server, upgrade to 6.0.2.13 / 6.1.0.1; for IBM WebSphere
Application Server, upgrade to 5.1.1.17.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-3918");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(79);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/23");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("find_service2.nasl", "http_version.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("raw.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (islocalhost() ) exit(0, "Nessus can not test for the issue over the loopback interface.");

port = get_http_port(default:80);
if ( get_port_transport(port) != ENCAPS_IP ) exit(0, "This script only works for HTTP connections");

soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);


# Generate a request to exploit the flaw.
exploit = SCRIPT_NAME + " testing for BID 19661 <test>";
rq = http_mk_get_req(port: port, item: "/", add_headers: make_array("Expect", exploit));
buf = http_mk_buffer_from_req(req: rq);
if ( buf == NULL ) audit(AUDIT_FN_FAIL, "http_mk_buffer_from_req");

# Send the request but don't worry about the response.
filter = "tcp and "
 + "src host " + get_host_ip() + " and "
 + "src port " + port + " and "
 + "dst port " + get_source_port(soc);
res = send_capture(socket:soc, data:buf, pcap_filter:filter);
if (res == NULL) audit(AUDIT_RESP_NOT, port);
flags = get_tcp_element(tcp:res, element:"th_flags");
if (flags & TH_ACK == 0) exit(0, "The TCP response from the web server on port "+port+" was not an ACK.");


# Half-close the connection.
#
# nb: the server sends a 417 response only after the connection is
#     closed; a half-close allows us to receive the response.
ip = ip();
seq = get_tcp_element(tcp:res, element:"th_ack");
tcp = tcp(
  th_dport : port,
  th_sport : get_source_port(soc),
  th_seq   : seq,
  th_ack   : seq,
  th_win   : get_tcp_element(tcp:res, element:"th_win"),
  th_flags : TH_FIN|TH_ACK
);
halfclose = mkpacket(ip, tcp);
r = send_packet(halfclose, pcap_filter:filter, pcap_timeout:5);
if ( !isnull(r) && ("417 Expectation Failed" >< r ||
		    "417 invalid Expect header value:" >< r ) )
{
 res2 = strstr(r, "417 Expectation Failed");
 if ( isnull(res2) ) res2 = strstr(r, "417 invalid Expect header value:");
}


# There's a problem if we see our exploit in the response.
res = recv(socket:soc, length:1024);
close(soc);

if ( isnull(res)) res = res2;

if (
  res &&
  (
    "417 Expectation Failed" >< res ||
    "417 invalid Expect header value:" >< res
  ) &&
  exploit >< res
)
{
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);

  if (report_verbosity > 0)
  {
    report = '\n'
      + 'Nessus was able to exploit the issue using the following request :\n'
      + '\n'
      + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30)+'\n'
      + http_mk_buffer_from_req(req:rq)
      + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30)+ '\n';

    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

Related

prion 2
cve 3
nessus 11
f5 2
httpd 1
ubuntucve 2
debiancve 2
oraclelinux 1
redhat 2
checkpoint_advisories 1
packetstorm 2
centos 3
exploitpack 1
osv 1
seebug 1
openvas 13
exploitdb 1
debian 1
suse 2
ubuntu 1
prion
prion
Cross site scripting
2007-11-14 01:46:00
Cross site scripting
2007-12-03 22:46:00
cve
cve
CVE-2007-5944
2007-11-14 01:46:00
CVE-2006-3918
2006-07-28 00:04:00
CVE-2007-6203
2007-12-03 22:46:00
nessus
nessus
RHEL 3 / 4 : httpd (RHSA-2006:0619)
2006-08-14 00:00:00
CentOS 3 / 4 : httpd (CESA-2006:0619)
2006-08-14 00:00:00
Oracle Linux 3 / 4 : httpd (ELSA-2006-0619)
2013-07-12 00:00:00
f5
f5
K6669 : Apache HTTP Expect header handling
2013-03-19 00:00:00
SOL6669 - Apache HTTP Expect header handling
2007-05-16 00:00:00
httpd
httpd
Apache Httpd < 1.3.35 : Expect header Cross-Site Scripting
2006-05-01 00:00:00
ubuntucve
ubuntucve
CVE-2006-3918
2006-07-27 00:00:00
CVE-2007-6203
2007-12-03 00:00:00
debiancve
debiancve
CVE-2006-3918
2006-07-28 00:04:00
CVE-2007-6203
2007-12-03 22:46:00
oraclelinux
oraclelinux
Moderate httpd security update
2006-11-30 00:00:00
redhat
redhat
(RHSA-2006:0619) httpd security update
2006-08-10 00:00:00
(RHSA-2006:0618) apache security update
2006-08-08 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache HTTP Server Header Injection Cross-Site Scripting (CVE-2006-3918)
2014-03-17 00:00:00
packetstorm
packetstorm
ProCheckUp Security Advisory 2007.37
2007-12-02 00:00:00
Oracle HTTP Server Header Cross Site Scripting
2011-06-14 00:00:00
centos
centos
apache security update
2006-08-08 23:33:33
httpd, mod_ssl security update
2006-08-24 16:29:11
httpd, mod_ssl security update
2006-08-10 22:42:31
exploitpack
exploitpack
Oracle HTTP Server - Cross-Site Scripting Header Injection
2011-06-13 00:00:00
osv
osv
apache - missing input sanitising
2006-09-04 00:00:00
seebug
seebug
Oracle HTTP Server - XSS Header Injection
2014-07-01 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-1167-1)
2008-01-17 00:00:00
Debian Security Advisory DSA 1167-1 (apache)
2008-01-17 00:00:00
SLES9: Security update for apache2,apache2-prefork,apache2-worker
2009-10-10 00:00:00
exploitdb
exploitdb
Oracle HTTP Server - Cross-Site Scripting Header Injection
2011-06-13 00:00:00
debian
debian
[SECURITY] [DSA 1167-1] New apache packages fix several vulnerabilities
2006-09-04 15:08:06
suse
suse
cryptographic problems in apache2
2006-09-08 14:34:17
cross site scripting in apache2,apache
2008-04-04 16:29:16
ubuntu
ubuntu
Apache vulnerabilities
2008-02-04 00:00:00
JSON
Related for WWW_EXPECT_XSS.NASL
prion2cve3nessus11f52httpd1ubuntucve2debiancve2oraclelinux1redhat2checkpoint_advisories1packetstorm2centos3exploitpack1osv1seebug1openvas13exploitdb1debian1suse2ubuntu1