Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
2009-08-12T00:00:00
ID OPENVAS:1361412562310800678 Type openvas Reporter Copyright (C) 2009 Greenbone Networks GmbH Modified 2019-07-23T00:00:00
Description
This host is running Apache Roller and is prone to a Cross Site Scripting
vulnerability.
##############################################################################
# OpenVAS Vulnerability Test
#
# Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
#
# Authors:
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
################################################################################
CPE = "cpe:/a:apache:roller";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.800678");
script_version("2019-07-23T10:31:33+0000");
script_tag(name:"last_modification", value:"2019-07-23 10:31:33 +0000 (Tue, 23 Jul 2019)");
script_tag(name:"creation_date", value:"2009-08-12 19:54:51 +0200 (Wed, 12 Aug 2009)");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_bugtraq_id(33110);
script_cve_id("CVE-2008-6879");
script_name("Apache Roller 'q' Parameter Cross Site Scripting Vulnerability");
script_xref(name:"URL", value:"http://secunia.com/advisories/31523");
script_xref(name:"URL", value:"http://issues.apache.org/roller/browse/ROL-1766");
script_tag(name:"qod_type", value:"remote_banner");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
script_family("Web application abuses");
script_dependencies("gb_apache_roller_detect.nasl");
script_mandatory_keys("ApacheRoller/detected");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to inject arbitrary
HTML codes in the context of the affected web application.");
script_tag(name:"affected", value:"Apache Roller version 2.x, 3.x and 4.0.");
script_tag(name:"insight", value:"The issue is due to input validation error in 'q' parameter when performing
a search. It is not properly sanitised before being returned to the user.");
script_tag(name:"summary", value:"This host is running Apache Roller and is prone to a Cross Site Scripting
vulnerability.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"solution", value:"Upgrade to Apache Roller Version 4.0.1 or later or
apply the patch via the references.");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (!port = get_app_port(cpe: CPE))
exit(0);
if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
exit(0);
version = infos["version"];
location = infos["location"];
if (version_is_less(version: version, test_version: "4.0.1")) {
report = report_fixed_ver(installed_version: version, fixed_version: "4.0.1", install_path: location);
security_message(port: port, data: report);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310800678", "type": "openvas", "bulletinFamily": "scanner", "title": "Apache Roller 'q' Parameter Cross Site Scripting Vulnerability", "description": "This host is running Apache Roller and is prone to a Cross Site Scripting\n vulnerability.", "published": "2009-08-12T00:00:00", "modified": "2019-07-23T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800678", "reporter": "Copyright (C) 2009 Greenbone Networks GmbH", "references": ["http://issues.apache.org/roller/browse/ROL-1766", "http://secunia.com/advisories/31523"], "cvelist": ["CVE-2008-6879"], "lastseen": "2019-07-23T16:21:40", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-6879"]}, {"type": "openvas", "idList": ["OPENVAS:800678"]}, {"type": "nessus", "idList": ["APACHE_ROLLER_Q_XSS.NASL"]}], "modified": "2019-07-23T16:21:40", "rev": 2}, "score": {"value": 4.4, "vector": "NONE", "modified": "2019-07-23T16:21:40", "rev": 2}, "vulnersScore": 4.4}, "pluginID": "1361412562310800678", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Roller 'q' Parameter Cross Site Scripting Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\nCPE = \"cpe:/a:apache:roller\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800678\");\n script_version(\"2019-07-23T10:31:33+0000\");\n script_tag(name:\"last_modification\", value:\"2019-07-23 10:31:33 +0000 (Tue, 23 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-08-12 19:54:51 +0200 (Wed, 12 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_bugtraq_id(33110);\n script_cve_id(\"CVE-2008-6879\");\n\n script_name(\"Apache Roller 'q' Parameter Cross Site Scripting Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/31523\");\n script_xref(name:\"URL\", value:\"http://issues.apache.org/roller/browse/ROL-1766\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_roller_detect.nasl\");\n script_mandatory_keys(\"ApacheRoller/detected\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to inject arbitrary\n HTML codes in the context of the affected web application.\");\n\n script_tag(name:\"affected\", value:\"Apache Roller version 2.x, 3.x and 4.0.\");\n\n script_tag(name:\"insight\", value:\"The issue is due to input validation error in 'q' parameter when performing\n a search. It is not properly sanitised before being returned to the user.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Roller and is prone to a Cross Site Scripting\n vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Roller Version 4.0.1 or later or\n apply the patch via the references.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: version, test_version: \"4.0.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.0.1\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Web application abuses"}
{"cve": [{"lastseen": "2020-10-03T11:51:05", "description": "Cross-site scripting (XSS) vulnerability in Apache Roller 2.3, 3.0, 3.1, and 4.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter in a search action.", "edition": 3, "cvss3": {}, "published": "2009-07-30T19:30:00", "title": "CVE-2008-6879", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-6879"], "modified": "2009-07-31T04:00:00", "cpe": ["cpe:/a:apache:roller:2.3", "cpe:/a:apache:roller:3.0", "cpe:/a:apache:roller:4.0", "cpe:/a:apache:roller:3.1"], "id": "CVE-2008-6879", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6879", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:apache:roller:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:roller:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:roller:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:roller:3.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:14:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-6879"], "description": "This host is running Apache Roller and is prone to Cross Site Scripting\n vulnerability.", "modified": "2016-12-28T00:00:00", "published": "2009-08-12T00:00:00", "id": "OPENVAS:800678", "href": "http://plugins.openvas.org/nasl.php?oid=800678", "type": "openvas", "title": "Apache Roller 'q' Parameter Cross Site Scripting Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_roller_xss_vuln_aug09.nasl 4865 2016-12-28 16:16:43Z teissa $\n#\n# Apache Roller 'q' Parameter Cross Site Scripting Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\ntag_solution = \"Upgrade to Apache Roller Version 4.0.1 or later or\n apply the patch.\n http://roller.apache.org/download.cgi\n http://issues.apache.org/roller/browse/ROL-1766\n\n *****\n NOTE: Please ignore this warning if the patch is applied.\n *****\";\n\ntag_impact = \"Successful exploitation will allow remote attackers to inject arbitrary\n HTML codes in the context of the affected web application.\n Impact Level: Application\";\ntag_affected = \"Apache Roller Version 2.x, 3.x and 4.0\";\ntag_insight = \"The issue is due to input validation error in 'q' parameter when performing\n a search. It is not properly sanitised before being returned to the user.\";\ntag_summary = \"This host is running Apache Roller and is prone to Cross Site Scripting\n vulnerability.\";\n\nif(description)\n{\n script_id(800678);\n script_version(\"$Revision: 4865 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-28 17:16:43 +0100 (Wed, 28 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-08-12 19:54:51 +0200 (Wed, 12 Aug 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_bugtraq_id(33110);\n script_cve_id(\"CVE-2008-6879\");\n script_name(\"Apache Roller 'q' Parameter Cross Site Scripting Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/31523\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_roller_detect.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nrollerPort = get_http_port(default:8080);\nif(!rollerPort){\n rollerPort = 8080;\n}\n\nrollerVer = get_kb_item(\"www/\" + rollerPort + \"/ApacheRoller\");\nif(!rollerVer){\n exit(0);\n}\n\nif(version_in_range(version:rollerVer, test_version:\"2.0\", test_version2:\"2.3\") ||\n version_in_range(version:rollerVer, test_version:\"3.0\", test_version2:\"3.1\") ||\n version_is_equal(version:rollerVer, test_version:\"4.0\")){\n security_message(rollerPort);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-01T01:20:55", "description": "The remote host is running Apache Roller, a multi-user blog server\nwritten in Java. \n\nThe version of Apache Roller installed on the remote host fails to\nsanitize user input to the 'q' parameter of search requests before\nincluding it in dynamic HTML output. An attacker may be able to\nleverage this issue to inject arbitrary HTML and script code into a\nuser's browser to be executed within the security context of the\naffected site.", "edition": 24, "published": "2009-01-07T00:00:00", "title": "Apache Roller q Parameter XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-6879"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apache:roller"], "id": "APACHE_ROLLER_Q_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/35299", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(35299);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2008-6879\");\n script_bugtraq_id(33110);\n script_xref(name:\"Secunia\", value:\"31523\");\n\n script_name(english:\"Apache Roller q Parameter XSS\");\n script_summary(english:\"Tries to inject script code through Roller's search parameter\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java web application that is affected\nby a cross-site scripting vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Apache Roller, a multi-user blog server\nwritten in Java. \n\nThe version of Apache Roller installed on the remote host fails to\nsanitize user input to the 'q' parameter of search requests before\nincluding it in dynamic HTML output. An attacker may be able to\nleverage this issue to inject arbitrary HTML and script code into a\nuser's browser to be executed within the security context of the\naffected site.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?75c214e4\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the code fix referenced in revision 668737 from the Subversion\nrepository.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(79);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2009/01/07\");\n script_cvs_date(\"Date: 2018/06/27 18:42:24\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:apache:roller\");\nscript_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\", \"cross_site_scripting.nasl\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80);\nif (get_kb_item(\"www/\"+port+\"/generic_xss\")) exit(0);\n\n\n# A simple exploit.\nexploit = string(\"nessus<script>alert('\", SCRIPT_NAME, \"')</script>\");\n\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(make_list(\"/roller\", \"/blogs\", cgi_dirs()));\nelse dirs = make_list(cgi_dirs());\n\nforeach dir (dirs)\n{\n # Look for Roller and its search form.\n if (dir == \"/\") url = dir;\n else url = dir + \"/\";\n\n res = http_get_cache(item:url, port:port, exit_on_fail: 1);\n\n # If...\n if (\n # it's Roller and...\n (\n '<meta name=\"generator\" content=\"Roller Weblogger' >< res ||\n '/roller-ui/login-redirect.rol\"' >< res ||\n '/roller-ui/login-redirect.jsp\"' >< res ||\n '<li class=\"rReferersListItem\">' >< res ||\n 'ul.rMenu, ul.rFolder, ul.rFeeds, ul.rReferersList, ul.rEntriesList' >< res\n ) &&\n # we can find the search form.\n '<form id=\"searchForm\" method=\"get\" action=\"' >< res\n )\n {\n search_url = strstr(res, '<form id=\"searchForm\" method=\"get\" action=\"') - \n '<form id=\"searchForm\" method=\"get\" action=\"';\n search_url = search_url - strstr(search_url, '\"');\n\n if (\n strlen(search_url) > 0 && \n stridx(search_url, '/') == 0 &&\n ereg(string:search_url, pattern:\"^[/a-zA-Z0-9_-]+$\")\n )\n {\n # Try to exploit the issue.\n url = string(search_url, \"?q=\", urlencode(str:exploit));\n\n res = http_send_recv3(method:\"GET\", item:url, port:port);\n if (res == NULL) exit(0);\n\n # There's a problem if we see our exploit in the default search form.\n if (\n string(\"<title>Search Results for '\", exploit) >< res[2] ||\n string('You searched this site for \"<a href=\"http://dictionary.com/search?q=', exploit) >< res[2]\n )\n {\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Nessus was able to exploit the issue using the following URL :\\n\",\n \"\\n\",\n \" \", build_url(port:port, qs:url), \"\\n\"\n );\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n }\n }\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
