diff --git a/CHANGELOG b/CHANGELOG index 3fdac062c..c15d482fc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added http-vuln-cve2013-6786 for detecting a XSS and URL redirection + vulnerability in Allegro RomPager web server. Also added a fingerprint for + detecting CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak] + o When provided a verbosity of 0 (-v0), Nmap will not output any text to the screen. This happens at the time of argument parsing, so the usual meaning of "verbosity 0" is preserved. [isjing] diff --git a/scripts/http-vuln-cve2013-6786.nse b/scripts/http-vuln-cve2013-6786.nse new file mode 100644 index 000000000..5d7d791dc --- /dev/null +++ b/scripts/http-vuln-cve2013-6786.nse @@ -0,0 +1,77 @@ +description = [[ +Detects a URL redirection and reflected XSS vulnerability in Allegro RomPager +Web server. The vulnerability has been assigned CVE-2013-6786. + +The check is general enough (script tag injection via Referer header) that some +other software may be vulnerable in the same way. +]] + +--- +-- @usage nmap -p80 --script http-rompager-xss +-- @usage nmap -sV http-rompager-xss +-- +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- | http-rompager-xss: +-- | VULNERABLE: +-- | URL redirection and reflected XSS vulnerability in Allegro RomPager Web server +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2013-6786 +-- | +-- | Devices based on Allegro RomPager web server are vulnerable to URL redirection +-- | and reflected XSS. If Referer header in a request to a non existing page, data +-- | can be injected into the resulting 404 page. This includes linking to an +-- | untrusted website and XSS injection. +-- | Disclosure date: 2013-07-1 +-- | References: +-- |_ https://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf +--- + +author = "Vlatko Kosturjak " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"exploit","vuln"} + +local http = require "http" +local nmap = require "nmap" +local shortport = require "shortport" +local string = require "string" +local vulns = require "vulns" +local stdnse = require "stdnse" + +portrule = shortport.http + +action = function(host, port) + local vuln = { + title = 'URL redirection and reflected XSS vulnerability in Allegro RomPager Web server', + state = vulns.STATE.NOT_VULN, + description = [[ +Devices based on Allegro RomPager web server are vulnerable to URL redirection +and reflected XSS. If Referer header in a request to a non existing page, data +can be injected into the resulting 404 page. This includes linking to an +untrusted website and XSS injection.]], + IDS = { + CVE = "CVE-2013-6786", + OSVDB = "99694", + }, + references = { + 'https://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf', + }, + dates = { + disclosure = {year = '2013', month = '07', day = '1'}, + }, + } + + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local header = { ["Referer"] = '"><"' } + local open_session = http.get(host.ip, port, "/"..stdnse.generate_random_string(16), { header = header }) + if open_session and open_session.status == 404 then + stdnse.debug2("got 404-that's good!") + if open_session.body:match('"><"') then + vuln.state = vulns.STATE.EXPLOIT + -- vuln.extra_info = open_session.body + stdnse.debug1("VULNERABLE. Router answered correctly!") + return vuln_report:make_output(vuln) + end + end +end diff --git a/scripts/script.db b/scripts/script.db index cb89ab685..cd4880d8d 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -236,6 +236,7 @@ Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2013-0156.nse", categories = { "exploit", "vuln", } } +Entry { filename = "http-vuln-cve2013-6786.nse", categories = { "exploit", "vuln", } } Entry { filename = "http-vuln-cve2013-7091.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2014-2126.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-cve2014-2127.nse", categories = { "safe", "vuln", } }