Oracle GlassFish Server 3.1.1 < 3.1.1.3 Multiple Vulnerabilities (April 2012 CPU)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(58846);
  script_version("1.13");
  script_cvs_date("Date: 2018/11/15 20:50:25");

  script_cve_id("CVE-2012-0550", "CVE-2012-0551");
  script_bugtraq_id(53118, 53136);
  script_xref(name:"EDB-ID", value:"18764");
  script_xref(name:"EDB-ID", value:"18766");

  script_name(english:"Oracle GlassFish Server 3.1.1 < 3.1.1.3 Multiple Vulnerabilities (April 2012 CPU)");
  script_summary(english:"Checks the version of Oracle GlassFish.");

  script_set_attribute(attribute:"synopsis", value:"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of GlassFish Server running on the remote host is affected
by multiple vulnerabilities :

  - A cross-site request forgery (CSRF) vulnerability in its
    REST interface. An authenticated user can be tricked
    into visiting a web page that leverages this
    vulnerability to upload an arbitrary WAR file to the
    GlassFish server, which is then executed with
    GlassFish's
    credentials. (CVE-2012-0550)

  - A cross-site scripting (XSS) vulnerability in its
    administrative interface. This vulnerability permits
    JavaScript to be run in the context of the GlassFish
    administrative interface, which may result in the
    credentials of an authenticated user being stolen for
    use in subsequent attacks. (CVE-2012-0551)");
  script_set_attribute(attribute:"solution", value:"Upgrade to GlassFish Server 3.1.1.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fe94efd1");
  # http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_REST_CSRF.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a359287a");
  # http://www.security-assessment.com/files/documents/advisory/Oracle_GlassFish_Server_Multiple_XSS.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9faaa64a");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/24");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:glassfish_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_dependencies("glassfish_detect.nasl");
  script_require_keys("www/glassfish");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("glassfish.inc");

#
# Main
#

# Check for GlassFish
get_kb_item_or_exit('www/glassfish');

# By default, GlassFish listens on port 8080.
port = get_glassfish_port(default:8080);

# Get the version number out of the KB.
ver = get_kb_item_or_exit("www/" + port + "/glassfish/version");
banner = get_kb_item_or_exit("www/" + port + "/glassfish/source");
pristine = get_kb_item_or_exit("www/" + port + "/glassfish/version/pristine");

# Check if the installation is vulnerable.
if (ver =~ "^3\.1\.1")
  fix = "3.1.1.3";
else
  fix = NULL;

if (!isnull(fix) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)
{
  if (report_verbosity > 0)
  {
    set_kb_item(name:"www/"+port+"/XSRF", value:TRUE);
    set_kb_item(name:"www/"+port+"/XSS", value:TRUE);

    report =
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + pristine +
      '\n  Fixed version     : ' + fix +
      '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_LISTEN_NOT_VULN, "Oracle GlassFish", port, pristine);