Apache OpenMeetings < 3.1.1 Multiple Vulnerabilities

# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE = "cpe:/a:apache:openmeetings";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.112065");
  script_version("2023-03-31T10:19:34+0000");
  script_tag(name:"last_modification", value:"2023-03-31 10:19:34 +0000 (Fri, 31 Mar 2023)");
  script_tag(name:"creation_date", value:"2017-10-05 15:09:22 +0200 (Thu, 05 Oct 2017)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2018-10-09 19:58:00 +0000 (Tue, 09 Oct 2018)");

  script_cve_id("CVE-2016-0783", "CVE-2016-0784", "CVE-2017-2163", "CVE-2016-2164");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Apache OpenMeetings < 3.1.1 Multiple Vulnerabilities");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2017 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_apache_openmeetings_http_detect.nasl");
  script_mandatory_keys("apache/openmeetings/detected");

  script_tag(name:"summary", value:"Apache OpenMeetings is prone to multiple vulnerabilities.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The following vulnerabilities exist:

  - CVE-2016-0783: The hash generated by the external password reset function is generated by
  concatenating the user name and the current system time, and then hashing it using MD5. This is
  highly predictable and can be cracked in seconds by an attacker with knowledge of the user name
  of an OpenMeetings user.

  - CVE-2016-0784: The Import/Export System Backups functionality in the OpenMeetings
  Administration menu is vulnerable to path traversal via specially crafted file names within ZIP
  archives.

  - CVE-2016-2163: When creating an event, it is possible to create clickable URL links in the
  event description. These links will be present inside the event details once a participant enters
  the room via the event. It is possible to create a link like 'javascript:alert('xss')', which
  will execute once the link is clicked. As the link is placed within an <a> tag, the actual link
  is not visible to the end user which makes it hard to tell if the link is legit or not.

  - CVE-2016-2164: When attempting to upload a file via the API using the importFileByInternalUserId
  or importFile methods in the FileService, it is possible to read arbitrary files from the system.
  This is due to that Java's URL class is used without checking what protocol handler is specified
  in the API call.");

  script_tag(name:"affected", value:"Apache OpenMeetings prior to version 3.1.1.");
  script_tag(name:"solution", value:"Update to version 3.1.1 or later.");

  script_xref(name:"URL", value:"https://openmeetings.apache.org/security.html");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port:port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less(version: version, test_version: "3.1.1")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.1.1", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);