Vulnerabilities > CVE-2005-2453 - Unspecified vulnerability in Networkactiv web Server

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
networkactiv
nessus
exploit available

Summary

Cross-site scripting (XSS) vulnerability in NetworkActiv Web Server 1.0, 2.0.0.6, 3.0.1.1, and 3.5.13, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the query string.

Exploit-Db

descriptionNetworkActiv Web Server 1.0/2.0/3.0/3.5 Cross-Site Scripting Vulnerability. CVE-2005-2453 . Remote exploits for multiple platform
idEDB-ID:26071
last seen2016-02-03
modified2005-08-04
published2005-08-04
reporterSecunia Research
sourcehttps://www.exploit-db.com/download/26071/
titleNetworkActiv Web Server 1.0/2.0/3.0/3.5 - Cross-Site Scripting Vulnerability

Nessus

NASL familyCGI abuses : XSS
NASL idCROSS_SITE_SCRIPTING.NASL
descriptionThe remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. A remote attacker can exploit this issue, via a specially crafted request, to execute arbitrary HTML and script code in a user
last seen2020-06-01
modified2020-06-02
plugin id10815
published2001-11-30
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10815
titleWeb Server Generic XSS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(10815);
  script_version("1.90");
  script_cvs_date("Date: 2018/07/06 11:26:05");

  script_cve_id(
    "CVE-2002-1060",
    "CVE-2002-1700",
    "CVE-2003-1543",
    "CVE-2005-2453",
    "CVE-2006-1681",
    "CVE-2012-3382"
  );
  script_bugtraq_id(
    5011,
    5305,
    7344,
    7353,
    8037,
    14473,
    17408,
    54344
  );

  script_name(english:"Web Server Generic XSS");
  script_summary(english:"Checks for generic cross-site scripting vulnerability in a web server.");


  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a cross-site scripting
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. A remote attacker
can exploit this issue, via a specially crafted request, to execute
arbitrary HTML and script code in a user's browser within the security
context of the affected site.");
  script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Cross-site_scripting");
  script_set_attribute(attribute:"solution", value:
"Contact the vendor for a patch or upgrade.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(79);

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2001/11/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default: 80, embedded: TRUE);

file = rand_str(charset:"abcdefghijklmnopqrstuvwxyz0123456789");
exts = make_list(
  "asp",
  "aspx",
  "pl",
  "cgi",
  "exe",
  "cfm",
  "html",
  "jsp",
  "php",
  "php3",
#  "phtml",
#  "shtml",
   "cfc",
   "nsf",
   "dll",
   "fts",
   "jspa",
   "kspx",
   "mscgi",
   "do",
   "htm",
   "idc",
   "x",
   ""
);
exploits = make_list(
  # nb: while this isn't valid JavaScript, it will tell us
  #     if malicious script tags are output unfiltered.
  "<script>" + SCRIPT_NAME + "</script>",
  '<IMG SRC="javascript:alert(' + SCRIPT_NAME + ');">'
);

hdrs = make_list(
  "Referer",
  "Cookie",
  "User-Agent",
  "Pragma",
  "Accept",
  "X-Forwarded-For",
  "Accept-Language",
  "Accept-Charset",
  "Expect",
  "Connection",
  "Host",
  "Content-Type",
  "Content-Length"
);

vuln_url = FALSE;
vuln_hdr = FALSE;

vuln = 0;
failures = 0;

dirs_l = NULL;
hdr_ext = NULL;
# If we are in paranoid mode, we want to reduce the FPs anyway.
if (thorough_tests) dirs_l = cgi_dirs();

if (isnull(dirs_l)) dirs_l = make_list("/");

foreach dir (dirs_l)
{
  len = strlen(dir);
  if (len == 0 || dir[0] != "/")
  {
    dir = "/" + dir;
    len ++;
  }
  if (len > 1 && dir[len-1] != "/") dir = dir + "/";

  foreach ext (exts)
  {
    foreach exploit (exploits)
    {
      if (" " >< exploit) enc_exploit = str_replace(find:" ", replace:"%20", string:exploit);
      else enc_exploit = exploit;

    if (ext)
      urls = make_list(
        dir + enc_exploit + "." + ext,
        dir + file + "." + ext + "?" + enc_exploit
      );
    else
      urls = make_list(
        # nb: does server check "filenames" for Javascript?
        dir + enc_exploit,
        enc_exploit,
        # nb: how about just the request string?
        dir + "?" + enc_exploit
      );

    foreach url (urls)
    {
      if (vuln_url) break;
      # Try to exploit the flaw.
      ef = (failures >= 2);
      r = http_send_recv3(method: 'GET', item:url, port:port, fetch404: TRUE, follow_redirect: 2, exit_on_fail: ef);
      if (isnull(r))
      {
        failures ++;
	continue;
      }

      headers = parse_http_headers(status_line:r[0], headers:r[1]);
      if (!empty_or_null(headers))
      {
        if (!empty_or_null(headers['content-disposition']) &&
            headers['content-disposition'] =~ 'attachment') continue;

        if (!empty_or_null(headers['content-type']))
        {
          if (headers['content-type'] !~ "text\/html")
          {
            rep_extra =
              'Note that this XSS attack may only work against ' +
              'web browsers\nthat have "content sniffing" enabled.';
          } 
        }
      }

      if (exploit >< r[2])
      {
        if (r[0] =~ "^HTTP/1\.[01] 30[12] ") continue;	# FP
        vuln++;

        report += crap(data:"-", length:30)+' Request #' + vuln + ' ' +crap(data:"-", length:30)+ '\n';
        report +=
          '\nThe request string used to detect this flaw was :\n\n' +
          url +
          '\n\nThe output was :\n\n' +
          r[0] + r[1] + '\n' +
          extract_pattern_from_resp(string: r[2], pattern: "ST:"+exploit)+
          '\n';
          if (rep_extra)
            report += rep_extra;

        vuln_url = TRUE;
        hdr_ext = ext;
      }
    }

  }
}

    # begin header tests
    if (thorough_tests)
    {
      foreach hdr (hdrs)
      {
        #build request
        if (empty_or_null(ext)) ext = "html";
        if (empty_or_null(hdr_ext)) hdr_ext = ext;
        exploit = "<script>alert(" + hdr + ")</script>";
        url = dir + file + "." + hdr_ext;
        rq = http_mk_req(item: url, port:port, method: "GET", add_headers: make_array(hdr, exploit));

        #send request
        r = http_send_recv_req(req: rq, port:port, fetch404: TRUE, only_content: "text/(xml|html)");
        if(isnull(r))
        {
          failures ++;
          continue;
        }

        #check response
        if (exploit >< r[2])
        {
          if (r[0] =~ "^HTTP/1\.[01] 30[12] ") continue;  # FP
          vuln++;

          # report
          report += crap(data:"-", length:30)+' Request #' + vuln + ' ' +crap(data:"-", length:30)+ '\n';
          report += '\nThe full request used to detect this flaw was :\n\n' + 
            http_last_sent_request() +
            '\n\nThe output was :\n\n' +
            r[0] + r[1] + '\n' +
            extract_pattern_from_resp(string: r[2], pattern: "ST:"+exploit)+
            '\n';

        }
      }
    }
    # end header tests
}
if (vuln > 0)
{
  set_kb_item(name:string("www/", port, "/generic_xss"), value:TRUE);
  security_report_v4(extra:report, port:port, severity:SECURITY_WARNING, xss:TRUE);
  exit(0);
}
exit(0, "The web server listening on port " +port+ " is not affected.");