CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
91.0%
The remote host is running Novell Teaming, a collaboration and conferencing application. The version of Novell Teaming installed on the remote host allows an unauthenticated remote attacker to enumerate users during the login phase because the web application responds with different messages when an invalid username or invalid password is used.
In addition, it is likely to be affected by multiple cross-site scripting vulnerabilities due to its failure to sanitize input to the βp_p_stateβ and βp_p_modeβ parameters of the web application, although Nessus has not checked for these.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(36205);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-1293");
script_bugtraq_id(34531);
script_xref(name:"SECUNIA", value:"34714");
script_name(english:"Novell Teaming Login User Account Enumeration Weakness");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a module that leaks information.");
script_set_attribute(attribute:"description", value:
"The remote host is running Novell Teaming, a collaboration and
conferencing application. The version of Novell Teaming installed on
the remote host allows an unauthenticated remote attacker to enumerate
users during the login phase because the web application responds with
different messages when an invalid username or invalid password is
used.
In addition, it is likely to be affected by multiple cross-site
scripting vulnerabilities due to its failure to sanitize input to the
'p_p_state' and 'p_p_mode' parameters of the web application, although
Nessus has not checked for these.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/502704/30/0/threaded");
# http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002997&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?05eaae82");
# http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7002999&sliceId=1&docTypeID=DT_TID_1_1&dialogID=33090060&stateId=1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a9e444a0");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch referenced in the vendor advisory above.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_cwe_id(200);
script_set_attribute(attribute:"patch_publication_date", value:"2009/04/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80, embedded: 0);
users = make_list(
string("nessus-", unixtime()), # hopefully bogus
"admin", # hopefully good
"guest" # ??
);
password = string("nessus-", unixtime());
# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/teaming", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
errors = make_array();
user_existent = NULL;
user_nonexistent = NULL;
password_var = NULL;
url = string(dir, "/c/portal/login");
# We have to determine the value of the password variable from the initial connection
res = http_send_recv3(method:"GET", item:url, port:port);
if (isnull(res)) exit(0);
if ("<title>Novell Teaming" >!< res[2]) break;
if ("_password" >< res[2]){
matches = eregmatch(pattern:'<input name="([A-Za-z]+_password)"', string:res[2]);
password_var = matches[1];
}
foreach user (users)
{
postdata = string(
"cmd=already-registered", "&",
"tabs1=already-registered", "&",
"rememberMe=false","&",
"login=", user, "&",
password_var, "=", password
);
res = http_send_recv3(method:"POST", data:postdata, add_headers:make_array("Content-Type", "application/x-www-form-urlencoded"), item:url, port:port);
if (isnull(res)) exit(0);
if (isnull(user_nonexistent) && "Please enter a valid login." >< res[2])
{
user_nonexistent = user;
error = strstr(res[2], "Please enter a valid login.");
errors[user] = error - strstr(error, "</span>");
}
else if (
isnull(user_existent) && "Authentication failed. Please try again." >< res[2])
{
user_existent = user;
error = strstr(res[2], "Authentication failed. Please try again.");
errors[user] = error - strstr(error, "</span>");
}
if (user_existent && user_nonexistent)
{
set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
if (report_verbosity > 0)
{
report = string(
"\n",
"Nessus was able to verify the issue with the following queries and\n",
"responses :\n",
" Existing User : ", user_existent, "\n",
" URL : ", build_url(port:port, qs:url), "\n",
" Response Error : ", errors[user_existent], "\n",
"\n",
" Invalid User : ", user_nonexistent, "\n",
" URL : ", build_url(port:port, qs:url), "\n",
" Response Error : ", errors[user_nonexistent], "\n"
);
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
}
}