Vulnerabilities > CVE-2003-0154 - Cross-Site Scripting vulnerability in Mozilla Bonsai 1.3
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Cross-site scripting vulnerabilities (XSS) in bonsai Mozilla CVS query tool allow remote attackers to execute arbitrary web script via (1) the file, root, or rev parameters to cvslog.cgi, (2) the file or root parameters to cvsblame.cgi, (3) various parameters to cvsquery.cgi, (4) the person parameter to showcheckins.cgi, (5) the module parameter to cvsqueryform.cgi, and (6) possibly other attack vectors as identified by Mozilla bug #146244.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Mozilla Bonsai Multiple Cross Site Scripting Vulnerabilities. CVE-2003-0154. Webapps exploit for cgi platform |
| id | EDB-ID:21729 |
| last seen | 2016-02-02 |
| modified | 2002-08-20 |
| published | 2002-08-20 |
| reporter | Stan Bubrouski |
| source | https://www.exploit-db.com/download/21729/ |
| title | Mozilla Bonsai Multiple Cross-Site Scripting Vulnerabilities |
Nessus
NASL family CGI abuses NASL id BONSAI_FLAWS.NASL description The remote host has the CGI suite last seen 2020-06-01 modified 2020-06-02 plugin id 11440 published 2003-03-22 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11440 title Mozilla Bonsai Mutiple Flaws (Auth Bypass, XSS, Cmd Exec, PD) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11440); script_cve_id("CVE-2003-0152", "CVE-2003-0153", "CVE-2003-0154", "CVE-2003-0155"); script_bugtraq_id(5516, 5517); script_version ("1.28"); script_name(english:"Mozilla Bonsai Mutiple Flaws (Auth Bypass, XSS, Cmd Exec, PD)"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a CGI which is vulnerable to multiple flaws allowing code execution and cross-site scripting attacks." ); script_set_attribute(attribute:"description", value: "The remote host has the CGI suite 'Bonsai' installed. This suite is used to browse a CVS repository with a web browser. The remote version of this software is to be vulnerable to various flaws ranging from path disclosure and cross-site scripting to remote command execution. An attacker may exploit these flaws to temper with the integrity of the remote host." ); script_set_attribute(attribute:"solution", value: "Upgrade to the latest version of Bonsai" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/22"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/08/20"); script_cvs_date("Date: 2018/06/13 18:56:26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Determine if bonsai is vulnerable to xss attack"); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl"); script_require_ports("Services/www", 80); script_exclude_keys("Settings/disable_cgi_scanning"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); dirs = make_list(cgi_dirs()); foreach d (dirs) { url = string(d, "/cvslog.cgi?file=<SCRIPT>window.alert</SCRIPT>"); r = http_send_recv3(method:"GET", item:url, port:port); if (isnull(r)) exit(0); buf = strcat(r[0], r[1], '\r\n', r[2]); if(ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:buf) && "Rcs file" >< buf && "<SCRIPT>window.alert</SCRIPT>" >< buf) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); exit(0); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-265.NASL description Remi Perrot fixed several security related bugs in the bonsai, the Mozilla CVS query tool by web interface. Vulnerabilities include arbitrary code execution, cross-site scripting and access to configuration parameters. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2003-0152 - Remote execution of arbitrary commands as www-data - CAN-2003-0153 - Absolute path disclosure - CAN-2003-0154 - Cross site scripting attacks - CAN-2003-0155 - Unauthenticated access to parameters page last seen 2020-06-01 modified 2020-06-02 plugin id 15102 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15102 title Debian DSA-265-1 : bonsai - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-265. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15102); script_version("1.24"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0152", "CVE-2003-0153", "CVE-2003-0154", "CVE-2003-0155"); script_xref(name:"DSA", value:"265"); script_name(english:"Debian DSA-265-1 : bonsai - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Remi Perrot fixed several security related bugs in the bonsai, the Mozilla CVS query tool by web interface. Vulnerabilities include arbitrary code execution, cross-site scripting and access to configuration parameters. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2003-0152 - Remote execution of arbitrary commands as www-data - CAN-2003-0153 - Absolute path disclosure - CAN-2003-0154 - Cross site scripting attacks - CAN-2003-0155 - Unauthenticated access to parameters page" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-265" ); script_set_attribute( attribute:"solution", value: "Upgrade the bonsai package. For the stable distribution (woody) these problems have been fixed in version 1.3+cvs20020224-1woody1. The old stable distribution (potato) is not affected since it doesn't contain bonsai." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:bonsai"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"bonsai", reference:"1.3+cvs20020224-1woody1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://bugzilla.mozilla.org/attachment.cgi?id=95950&action=view
- http://bugzilla.mozilla.org/attachment.cgi?id=95985&action=view
- http://bugzilla.mozilla.org/show_bug.cgi?id=146244
- http://bugzilla.mozilla.org/show_bug.cgi?id=163573
- http://marc.info/?l=bugtraq&m=102980129101054&w=2
- http://www.debian.org/security/2003/dsa-265
- http://www.iss.net/security_center/static/9920.php
- http://www.securityfocus.com/bid/5516