Episodex Guestbook Unauthorized Access and HTML Injection Vulnerability

2005-11-03T00:00:00
ID OPENVAS:136141256231018362
Type openvas
Reporter Copyright (C) 2005 Josh Zlatin-Amishav
Modified 2019-11-21T00:00:00

Description

The remote version of Episodex Guestbook contains an input validation flaw leading to the execution on attacker supplied HTML and script code. In addition an unauthenticated remote attacker can directly access administrator functions.

                                        
                                            # OpenVAS Vulnerability Test
# Description: Episodex Guestbook Unauthorized Access and HTML Injection Vulnerability
#
# Authors:
# Josh Zlatin-Amishav <josh at tkos dot co dot il>
#
# Copyright:
# Copyright (C) 2005 Josh Zlatin-Amishav
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.18362");
  script_version("2019-11-21T13:29:18+0000");
  script_tag(name:"last_modification", value:"2019-11-21 13:29:18 +0000 (Thu, 21 Nov 2019)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_cve_id("CVE-2005-1684");
  script_bugtraq_id(13692, 13693);
  script_name("Episodex Guestbook Unauthorized Access and HTML Injection Vulnerability");
  script_category(ACT_GATHER_INFO);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2005 Josh Zlatin-Amishav");
  script_dependencies("find_service.nasl", "http_version.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_tag(name:"solution", value:"No known solution was made available for at least one year since the disclosure
  of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer
  release, disable respective features, remove the product or replace the product by another one.");

  script_tag(name:"summary", value:"The remote version of Episodex Guestbook contains an input
  validation flaw leading to the execution on attacker supplied HTML and script code. In addition
  an unauthenticated remote attacker can directly access administrator functions.");

  script_tag(name:"qod_type", value:"remote_analysis");
  script_tag(name:"solution_type", value:"WillNotFix");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if(!can_host_asp(port:port))
  exit(0);

foreach dir( make_list_unique( "/", cgi_dirs( port:port ) ) ) {

  if( dir == "/" )
    dir = "";

  url = dir + "/admin.asp";
  res = http_get_cache(item:url, port:port);
  if(!res)
    continue;

  if( 'Save Configuration' >< res && 'powered by Sven Moderow\'s GuestBook' >< res ) {
    report = report_vuln_url(port:port, url:url);
    security_message(port:port, data:report);
    exit(0);
  }
}

exit(99);