Request Tracker 3.x < 3.8.15 / 4.x < 4.0.8 Multiple Vulnerabilities

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(63065);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2012-4730",
    "CVE-2012-4731",
    "CVE-2012-4732",
    "CVE-2012-4734",
    "CVE-2012-4884",
    "CVE-2012-6578",
    "CVE-2012-6579",
    "CVE-2012-6580",
    "CVE-2012-6581"
  );
  script_bugtraq_id(56290, 56291);

  script_name(english:"Request Tracker 3.x < 3.8.15 / 4.x < 4.0.8 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is running a Perl application that is affected
by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Best Practical
Solutions Request Tracker (RT) running on the remote web server is
version 3.x prior to 3.8.15 or version 4.x prior to 4.0.8. It is,
therefore, potentially affected by the following vulnerabilities :

  - Users can inject arbitrary headers into outgoing email
    provided they have ModifySelf or AdminUser privileges.
    A remote attacker could exploit this to gain sensitive
    information or conduct phishing attacks. (CVE-2012-4730)

  - Any privileged user can create articles in any class due
    to the application failing to properly verify user
    access rights. (CVE-2012-4731)

  - A cross-site request forgery vulnerability exists that
    allows a remote attacker to hijack the authentication
    of users for requests that toggle ticket bookmarks.
    (CVE-2012-4732)

  - A warning bypass vulnerability exists that allows a
    'confused deputy' attack during the handling of a
    specially crafted link. (CVE-2012-4734)

  - A vulnerability exists that allows an attacker to send
    arbitrary arguments to the command line for the GnuPG
    client (if GnuPG is enabled), which could result in the
    creation of arbitrary files with the permissions of the
    web server. (CVE-2012-4884)

  - Multiple vulnerabilities exist related to the improper
    signing or encryption of messages using GnuPG when GnuPG
    is enabled. (CVE-2012-6578, CVE-2012-6579,
    CVE-2012-6580, CVE-2012-6581)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  # http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2181f5d2");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Request Tracker 3.8.15 / 4.0.8 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/10/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/27");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:bestpractical:rt");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2022 Tenable Network Security, Inc.");

  script_dependencies("rt_detect.nasl");
  script_require_keys("installed_sw/RT", "Settings/ParanoidReport");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = 'RT';
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80);

install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

path    = install["path"];
version = install["version"];
install_loc = build_url(port:port, qs:path + "/");

ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

# Versions 3.8.x / 4.0.x less than 3.8.15 / 4.0.8 are affected.
if
(
  ver[0] == 3 && ver[1] == 8 &&
  (
    (ver[2] < 15) ||
    (ver[2] == 15 && version =~ "(rc|pre|alpha|RC|test|CH|beta|preflight)")
  )
  ||
  (
    ver[0] == 4 && ver[1] == 0 &&
    (
      (ver[2] < 8) ||
      (ver[2] == 8 && version =~ "(rc|pre|alpha|RC|test|CH|beta|preflight)")
    )
  )
)  
{
  set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);
  if (report_verbosity > 0)
  {
    report =
      '\n  URL               : ' +install_loc+
      '\n  Installed version : ' +version+
      '\n  Fixed version     : 3.8.15 / 4.0.8\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_loc, version);