Vulnerabilities > CVE-2004-2171 - Cross-Site Scripting vulnerability in Cherokee Error Page

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
cherokee
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

Cross-site scripting (XSS) vulnerability in Cherokee before 0.4.8 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting error page.

Vulnerable Configurations

Part Description Count
Application
Cherokee
9

Exploit-Db

descriptionCherokee 0.1.x/0.2.x/0.4.x Error Page Cross Site Scripting Vulnerability. CVE-2004-2171. Remote exploit for solaris platform
idEDB-ID:23605
last seen2016-02-02
modified2004-01-26
published2004-01-26
reporterCésar Fernández
sourcehttps://www.exploit-db.com/download/23605/
titleCherokee 0.1.x/0.2.x/0.4.x Error Page Cross-Site Scripting Vulnerability

Nessus

NASL familyCGI abuses : XSS
NASL idCHEROKEE_0_4_7.NASL
descriptionThe remote host is running Cherokee - a fast and tiny web server. The remote version of this software is vulnerable to cross-site scripting attacks due to lack of sanitization in returned error pages.
last seen2020-06-01
modified2020-06-02
plugin id15618
published2004-11-03
reporterThis script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/15618
titleCherokee Web Server Error Page XSS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15618);
 script_version("1.23");

 script_cve_id("CVE-2004-2171");
 script_bugtraq_id(9496);

 script_name(english:"Cherokee Web Server Error Page XSS");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to a cross-site scripting issue." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Cherokee - a fast and tiny web server.

The remote version of this software is vulnerable to cross-site
scripting attacks due to lack of sanitization in returned error pages." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76d15ca6" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Cherokee 0.4.8 or newer." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/03");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Checks for the version of Cherokee");
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"CGI abuses : XSS");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 443);
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);

banner = get_http_banner(port: port);
if(!banner)exit(0);
 
serv = strstr(banner, "Server");
if(ereg(pattern:"^Server:.*Cherokee/0\.([0-3]\.|4\.[0-7])[^0-9]", string:serv))
 {
   req = http_get(item:"/<script>foo</script>", port:port);
   res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
   if ( "<script>foo</script>" >!< res ) exit(0);

   if ( func_has_arg("security_note", "confidence") )
   	security_warning(port:port, confidence:100);
   else
   	security_warning(port);
   set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
 }

References