GoAhead WebServer Script Source Code Disclosure

2008-08-2200:00:00

plugins.openvas.org

6.5 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.055 Low

EPSS

Percentile

93.3%

JSON

A vulnerable version of GoAhead Webserver is running on the
remote host.

Description :

GoAhead Webserver is installed on the remote system.
It

# SPDX-FileCopyrightText: 2008 Ferdy Riphagen
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.2000099");
  script_version("2023-08-01T13:29:10+0000");
  script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
  script_tag(name:"creation_date", value:"2008-08-22 16:09:14 +0200 (Fri, 22 Aug 2008)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_cve_id("CVE-2002-1603");
  script_xref(name:"OSVDB", value:"13295");
  script_name("GoAhead WebServer Script Source Code Disclosure");
  script_category(ACT_GATHER_INFO);
  script_family("Web Servers");
  script_copyright("Copyright (C) 2008 Ferdy Riphagen");
  script_dependencies("gb_goahead_detect.nasl");
  script_mandatory_keys("embedthis/goahead/detected");

  script_xref(name:"URL", value:"http://aluigi.altervista.org/adv/goahead-adv3.txt");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/9239");
  script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/975041");

  script_tag(name:"solution", value:"Upgrade to GoAhead WebServer 2.1.8 or a newer release.");

  script_tag(name:"summary", value:"A vulnerable version of GoAhead Webserver is running on the
  remote host.

  Description :

  GoAhead Webserver is installed on the remote system.
  It's an open-source webserver, which is capable of
  hosting ASP pages, and installation on multiple operating
  systems.

  The version installed is vulnerable to Script Source Code
  Disclosure, by adding extra characters to the URL. Possible
  characters are %00, %5C, %2F.");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

CPE = "cpe:/a:embedthis:goahead";

include("host_details.inc");
include("http_func.inc");

function GetFileExt(file) {
 ret = split(file, sep: '.');
 return ret;
}

if(!port = get_app_port(cpe:CPE)) exit(0);
get_app_location(cpe:CPE, port:port);

banner = http_get_remote_headers(port:port);

host = http_host_name(port:port);

# Possible default file which still could be available.
file[0] = "/treeapp.asp";

# Below options could possible create false-positives.
file[1] = "/default.asp";

if ("HTTP/1.0 302" && "Location:" >< banner) {
  redirect = egrep(pattern:"^Location:", string:banner);
  rfile = ereg_replace(pattern:"Location: http:\/\/+[^/]+", string:redirect, replace:"", icase:TRUE);

  # See if the file is really asp.
  ret = GetFileExt(file:rfile);
  if(!isnull(ret)) {
    if (ereg(pattern:"asp", string:ret[1], icase:1)) {
      file[2] = chomp(rfile);
    }
  }
}

for (n = 0; file[n]; n++) {

  url = file[n] + "%5C";
  req = string("GET ", url, " HTTP/1.1", "\r\n",
               "Host: ", host, "\r\n\r\n");
  res = http_send_recv(port:port, data:req); # Server doesn't support keepalives.

  if ('<% write(HTTP_AUTHORIZATION); %>' >< res ||
     ('<%' >< res && ('%>' >< res))) {
    report = http_report_vuln_url(port:port, url:url);
    security_message(port:port, data:report);
    exit(0);
  }
}

exit(99);