Vulnerabilities > CVE-2006-5925

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
links
elinks
nessus
exploit available

Summary

Links web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed allows remote attackers to execute arbitrary code via shell metacharacters in an smb:// URI, as demonstrated by using PUT and GET statements.

Vulnerable Configurations

Part Description Count
Application
Links
1
Application
Elinks
1

Exploit-Db

descriptionLinks, ELinks 'smbclient' Remote Command Execution Vulnerability. CVE-2006-5925. Remote exploit for linux platform
idEDB-ID:29033
last seen2016-02-03
modified2006-11-18
published2006-11-18
reporterTeemu Salmela
sourcehttps://www.exploit-db.com/download/29033/
titleLinks, ELinks 'smbclient' Remote Command Execution Vulnerability

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200612-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200612-16 (Links: Arbitrary Samba command execution) Teemu Salmela discovered that Links does not properly validate
    last seen2020-06-01
    modified2020-06-02
    plugin id23873
    published2006-12-16
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23873
    titleGLSA-200612-16 : Links: Arbitrary Samba command execution
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200612-16.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23873);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"GLSA", value:"200612-16");
    
      script_name(english:"GLSA-200612-16 : Links: Arbitrary Samba command execution");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200612-16
    (Links: Arbitrary Samba command execution)
    
        Teemu Salmela discovered that Links does not properly validate 'smb://'
        URLs when it runs smbclient commands.
      
    Impact :
    
        A remote attacker could entice a user to browse to a specially crafted
        'smb://' URL and execute arbitrary Samba commands, which would allow
        the overwriting of arbitrary local files or the upload or the download
        of arbitrary files. This vulnerability can be exploited only if
        'smbclient' is installed on the victim's computer, which is provided by
        the 'samba' Gentoo package.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200612-16"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Links users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=www-client/links-2.1_pre26'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:links");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/16");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-client/links", unaffected:make_list("ge 2.1_pre26"), vulnerable:make_list("lt 2.1_pre26"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Links");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1240.NASL
    descriptionTeemu Salmela discovered that the links2 character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id23945
    published2006-12-30
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23945
    titleDebian DSA-1240-1 : links2 - insufficient escaping
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1240. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23945);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"DSA", value:"1240");
    
      script_name(english:"Debian DSA-1240-1 : links2 - insufficient escaping");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Teemu Salmela discovered that the links2 character mode web browser
    performs insufficient sanitising of smb:// URIs, which might lead to
    the execution of arbitrary shell commands."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400718"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1240"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the links2 package.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 2.1pre16-1sarge1.
    
    For the upcoming stable distribution (etch) this problem has been
    fixed in version 2.1pre26-1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:links2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/30");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"links2", reference:"2.1pre16-1sarge1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_LINKS-2292.NASL
    descriptionMalicious websites could abuse smb:// URLs to read or write arbitrary files of the user (CVE-2006-5925). Therefore this update disables SMB support in links.
    last seen2020-06-01
    modified2020-06-02
    plugin id27342
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27342
    titleopenSUSE 10 Security Update : links (links-2292)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update links-2292.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27342);
      script_version ("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-5925");
    
      script_name(english:"openSUSE 10 Security Update : links (links-2292)");
      script_summary(english:"Check for the links-2292 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Malicious websites could abuse smb:// URLs to read or write arbitrary
    files of the user (CVE-2006-5925). Therefore this update disables SMB
    support in links."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected links package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:links");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"links-2.1pre18-14.5") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "links");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-851-1.NASL
    descriptionTeemu Salmela discovered that Elinks did not properly validate input when processing smb:// URLs. If a user were tricked into viewing a malicious website and had smbclient installed, a remote attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2006-5925) Jakub Wilk discovered a logic error in Elinks, leading to a buffer overflow. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-7224). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id42208
    published2009-10-22
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/42208
    titleUbuntu 6.06 LTS : elinks vulnerabilities (USN-851-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-851-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42208);
      script_version("1.12");
      script_cvs_date("Date: 2019/08/02 13:33:02");
    
      script_cve_id("CVE-2006-5925", "CVE-2008-7224");
      script_xref(name:"USN", value:"851-1");
    
      script_name(english:"Ubuntu 6.06 LTS : elinks vulnerabilities (USN-851-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Teemu Salmela discovered that Elinks did not properly validate input
    when processing smb:// URLs. If a user were tricked into viewing a
    malicious website and had smbclient installed, a remote attacker could
    execute arbitrary code with the privileges of the user invoking the
    program. (CVE-2006-5925)
    
    Jakub Wilk discovered a logic error in Elinks, leading to a buffer
    overflow. If a user were tricked into viewing a malicious website, a
    remote attacker could cause a denial of service via application crash,
    or possibly execute arbitrary code with the privileges of the user
    invoking the program. (CVE-2008-7224).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/851-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected elinks and / or elinks-lite packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:elinks");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:elinks-lite");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"elinks", pkgver:"0.10.6-1ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"elinks-lite", pkgver:"0.10.6-1ubuntu3.4")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "elinks / elinks-lite");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1226.NASL
    descriptionTeemu Salmela discovered that the links character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id23844
    published2006-12-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23844
    titleDebian DSA-1226-1 : links - insufficient escaping
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1226. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23844);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"DSA", value:"1226");
    
      script_name(english:"Debian DSA-1226-1 : links - insufficient escaping");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Teemu Salmela discovered that the links character mode web browser
    performs insufficient sanitising of smb:// URIs, which might lead to
    the execution of arbitrary shell commands."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399187"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1226"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the links package.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 0.99+1.00pre12-1sarge1.
    
    For the upcoming stable distribution (etch) this problem has been
    fixed in version 0.99+1.00pre12-1.1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:links");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"links", reference:"0.99+1.00pre12-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"links-ssl", reference:"0.99+1.00pre12-1sarge1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1228.NASL
    descriptionTeemu Salmela discovered that the elinks character mode web browser performs insufficient sanitising of smb:// URIs, which might lead to the execution of arbitrary shell commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id23770
    published2006-12-06
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23770
    titleDebian DSA-1228-1 : elinks - insufficient escaping
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1228. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23770);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"DSA", value:"1228");
    
      script_name(english:"Debian DSA-1228-1 : elinks - insufficient escaping");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Teemu Salmela discovered that the elinks character mode web browser
    performs insufficient sanitising of smb:// URIs, which might lead to
    the execution of arbitrary shell commands."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1228"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the elinks package.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 0.10.4-7.1.
    
    For the upcoming stable distribution (etch) this problem has been
    fixed in version 0.11.1-1.2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:elinks");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/06");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"elinks", reference:"0.10.4-7.1")) flag++;
    if (deb_check(release:"3.1", prefix:"elinks-lite", reference:"0.10.4-7.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0742.NASL
    descriptionAn updated elinks package that corrects a security vulnerability is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Elinks is a text mode Web browser used from the command line that supports rendering modern web pages. An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks. (CVE-2006-5925) All users of Elinks are advised to upgrade to this updated package, which resolves this issue by removing support for the SMB protocol from Elinks. Note: this issue did not affect the Elinks package shipped with Red Hat Enterprise Linux 3, or the Links package shipped with Red Hat Enterprise Linux 2.1.
    last seen2020-06-01
    modified2020-06-02
    plugin id37097
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37097
    titleCentOS 4 : elinks (CESA-2006:0742)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2006:0742 and 
    # CentOS Errata and Security Advisory 2006:0742 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37097);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:03");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"RHSA", value:"2006:0742");
    
      script_name(english:"CentOS 4 : elinks (CESA-2006:0742)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated elinks package that corrects a security vulnerability is
    now available for Red Hat Enterprise Linux 4.
    
    This update has been rated as having critical security impact by the
    Red Hat Security Response Team.
    
    Elinks is a text mode Web browser used from the command line that
    supports rendering modern web pages.
    
    An arbitrary file access flaw was found in the Elinks SMB protocol
    handler. A malicious web page could have caused Elinks to read or
    write files with the permissions of the user running Elinks.
    (CVE-2006-5925)
    
    All users of Elinks are advised to upgrade to this updated package,
    which resolves this issue by removing support for the SMB protocol
    from Elinks.
    
    Note: this issue did not affect the Elinks package shipped with Red
    Hat Enterprise Linux 3, or the Links package shipped with Red Hat
    Enterprise Linux 2.1."
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-November/013412.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6186841e"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-November/013413.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b085ba6d"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-November/013414.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0dab7d9c"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected elinks package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:elinks");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-4", reference:"elinks-0.9.2-3.3")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "elinks");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-216.NASL
    descriptionThe links web browser with smbclient installed allows remote attackers to execute arbitrary code via shell metacharacters in an smb:// URI, as demonstrated by using PUT and GET statements. Corporate 3.0 is not affected by this issue, as that version of links does not have smb:// URI support. Updated packages have disabled access to smb:// URIs.
    last seen2020-06-01
    modified2020-06-02
    plugin id24601
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24601
    titleMandrake Linux Security Advisory : links (MDKSA-2006:216)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:216. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24601);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"MDKSA", value:"2006:216");
    
      script_name(english:"Mandrake Linux Security Advisory : links (MDKSA-2006:216)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The links web browser with smbclient installed allows remote attackers
    to execute arbitrary code via shell metacharacters in an smb:// URI,
    as demonstrated by using PUT and GET statements.
    
    Corporate 3.0 is not affected by this issue, as that version of links
    does not have smb:// URI support.
    
    Updated packages have disabled access to smb:// URIs."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:links");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:links-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:links-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:links-graphic");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2006.0", reference:"links-2.1-0.pre18.5.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"links-common-2.1-0.pre18.5.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"links-graphic-2.1-0.pre18.5.1.20060mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2007.0", reference:"links-2.1-0.pre18.13.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"links-common-2.1-0.pre18.13.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"links-debug-2.1-0.pre18.13.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"links-graphic-2.1-0.pre18.13.1mdv2007.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200701-27.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200701-27 (ELinks: Arbitrary Samba command execution) Teemu Salmela discovered an error in the validation code of
    last seen2020-06-01
    modified2020-06-02
    plugin id24312
    published2007-02-09
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24312
    titleGLSA-200701-27 : ELinks: Arbitrary Samba command execution
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200701-27.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24312);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"GLSA", value:"200701-27");
    
      script_name(english:"GLSA-200701-27 : ELinks: Arbitrary Samba command execution");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200701-27
    (ELinks: Arbitrary Samba command execution)
    
        Teemu Salmela discovered an error in the validation code of 'smb://'
        URLs used by ELinks, the same issue as reported in GLSA 200612-16
        concerning Links.
      
    Impact :
    
        A remote attacker could entice a user to browse to a specially crafted
        'smb://' URL and execute arbitrary Samba commands, which would allow
        the overwriting of arbitrary local files or the upload or download of
        arbitrary files. This vulnerability can be exploited only if
        'smbclient' is installed on the victim's computer, which is provided by
        the 'samba' Gentoo package.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200701-27"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All ELinks users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=www-client/elinks-0.11.2'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:elinks");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/09");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-client/elinks", unaffected:make_list("ge 0.11.2"), vulnerable:make_list("lt 0.11.2"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ELinks");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-1278.NASL
    description - Tue Nov 21 2006 Karel Zak <kzak at redhat.com> 0.11.1-5.1 - fix #215734: CVE-2006-5925 elinks smb protocol arbitrary file access - Wed Oct 11 2006 Karel Zak <kzak at redhat.com> 0.11.1-5 - fix #210103 - elinks crashes when given bad HTTP_PROXY - Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com> - 0.11.1-4.1 - rebuild - Mon Jun 12 2006 Karel Zak <kzak at redhat.com> 0.11.1-4 - improved negotiate-auth patch (faster now) - Fri Jun 9 2006 Karel Zak <kzak at redhat.com> 0.11.1-3 - added negotiate-auth (GSSAPI) support -- EXPERIMENTAL! - Mon May 29 2006 Karel Zak <kzak at redhat.com> 0.11.1-2 - update to new upstream version - Wed May 17 2006 Karsten Hopp <karsten at redhat.de> 0.11.0-3 - add buildrequires bzip2-devel, expat-devel,libidn-devel - Fri Feb 10 2006 Jesse Keating <jkeating at redhat.com> - 0.11.0-2.2 - bump again for double-long bug on ppc(64) - Tue Feb 7 2006 Jesse Keating <jkeating at redhat.com> - 0.11.0-2.1 - rebuilt for new gcc4.1 snapshot and glibc changes - Tue Jan 10 2006 Karel Zak <kzak at redhat.com> 0.11.0-2 - use upstream version of srcdir.patch - Tue Jan 10 2006 Karel Zak <kzak at redhat.com> 0.11.0-1 - update to new upstream version - fix 0.11.0 build system (srcdir.patch) - regenerate patches: elinks-0.11.0-getaddrinfo.patch, elinks-0.11.0-ssl-noegd.patch, elinks-0.11.0-sysname.patch, elinks-0.11.0-union.patch - Fri Dec 9 2005 Jesse Keating <jkeating at redhat.com> 0.10.6-2.1 - rebuilt - Wed Nov 9 2005 Karel Zak <kzak at redhat.com> 0.10.6-2 - rebuild (against new openssl) - Thu Sep 29 2005 Karel Zak <kzak at redhat.com> 0.10.6-1 - update to new upstream version - Tue May 17 2005 Karel Zak <kzak at redhat.com> 0.10.3-3 - fix #157300 - Strange behavior on ppc64 (patch by Miloslav Trmac) - Tue May 10 2005 Miloslav Trmac <mitr at redhat.com> - 0.10.3-2 - Fix checking for numeric command prefix (#152953, patch by Jonas Fonseca) - Fix invalid C causing assertion errors on ppc and ia64 (#156647) - Mon Mar 21 2005 Karel Zak <kzak at redhat.com> 0.10.3-1 - sync with upstream; stable 0.10.3 - Sat Mar 5 2005 Karel Zak <kzak at redhat.com> 0.10.2-2 - rebuilt - Tue Feb 8 2005 Karel Zak <kzak at redhat.com> 0.10.2-1 - sync with upstream; stable 0.10.2 - Fri Jan 28 2005 Karel Zak <kzak at redhat.com> 0.10.1-1 - sync with upstream; stable 0.10.1 - Thu Oct 14 2004 Karel Zak <kzak at redhat.com> 0.9.2-2 - the
    last seen2020-06-01
    modified2020-06-02
    plugin id24056
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24056
    titleFedora Core 6 : elinks-0.11.1-5.1 (2006-1278)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2006-1278.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24056);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_xref(name:"FEDORA", value:"2006-1278");
    
      script_name(english:"Fedora Core 6 : elinks-0.11.1-5.1 (2006-1278)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - Tue Nov 21 2006 Karel Zak <kzak at redhat.com>
        0.11.1-5.1
    
        - fix #215734: CVE-2006-5925 elinks smb protocol
          arbitrary file access
    
        - Wed Oct 11 2006 Karel Zak <kzak at redhat.com>
          0.11.1-5
    
        - fix #210103 - elinks crashes when given bad HTTP_PROXY
    
        - Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com>
          - 0.11.1-4.1
    
        - rebuild
    
        - Mon Jun 12 2006 Karel Zak <kzak at redhat.com>
          0.11.1-4
    
        - improved negotiate-auth patch (faster now)
    
        - Fri Jun 9 2006 Karel Zak <kzak at redhat.com> 0.11.1-3
    
        - added negotiate-auth (GSSAPI) support -- EXPERIMENTAL!
    
        - Mon May 29 2006 Karel Zak <kzak at redhat.com>
          0.11.1-2
    
        - update to new upstream version
    
        - Wed May 17 2006 Karsten Hopp <karsten at redhat.de>
          0.11.0-3
    
        - add buildrequires bzip2-devel,
          expat-devel,libidn-devel
    
        - Fri Feb 10 2006 Jesse Keating <jkeating at redhat.com>
          - 0.11.0-2.2
    
        - bump again for double-long bug on ppc(64)
    
        - Tue Feb 7 2006 Jesse Keating <jkeating at redhat.com>
          - 0.11.0-2.1
    
        - rebuilt for new gcc4.1 snapshot and glibc changes
    
        - Tue Jan 10 2006 Karel Zak <kzak at redhat.com>
          0.11.0-2
    
        - use upstream version of srcdir.patch
    
        - Tue Jan 10 2006 Karel Zak <kzak at redhat.com>
          0.11.0-1
    
        - update to new upstream version
    
        - fix 0.11.0 build system (srcdir.patch)
    
        - regenerate patches: elinks-0.11.0-getaddrinfo.patch,
          elinks-0.11.0-ssl-noegd.patch,
          elinks-0.11.0-sysname.patch, elinks-0.11.0-union.patch
    
      - Fri Dec 9 2005 Jesse Keating <jkeating at redhat.com>
        0.10.6-2.1
    
        - rebuilt
    
        - Wed Nov 9 2005 Karel Zak <kzak at redhat.com> 0.10.6-2
    
        - rebuild (against new openssl)
    
        - Thu Sep 29 2005 Karel Zak <kzak at redhat.com>
          0.10.6-1
    
        - update to new upstream version
    
        - Tue May 17 2005 Karel Zak <kzak at redhat.com>
          0.10.3-3
    
        - fix #157300 - Strange behavior on ppc64 (patch by
          Miloslav Trmac)
    
        - Tue May 10 2005 Miloslav Trmac <mitr at redhat.com> -
          0.10.3-2
    
        - Fix checking for numeric command prefix (#152953,
          patch by Jonas Fonseca)
    
        - Fix invalid C causing assertion errors on ppc and ia64
          (#156647)
    
        - Mon Mar 21 2005 Karel Zak <kzak at redhat.com>
          0.10.3-1
    
        - sync with upstream; stable 0.10.3
    
        - Sat Mar 5 2005 Karel Zak <kzak at redhat.com> 0.10.2-2
    
        - rebuilt
    
        - Tue Feb 8 2005 Karel Zak <kzak at redhat.com> 0.10.2-1
    
        - sync with upstream; stable 0.10.2
    
        - Fri Jan 28 2005 Karel Zak <kzak at redhat.com>
          0.10.1-1
    
        - sync with upstream; stable 0.10.1
    
        - Thu Oct 14 2004 Karel Zak <kzak at redhat.com> 0.9.2-2
    
        - the 'Linux' driver seems better than 'VT100' for xterm
          (#128105)
    
        - Wed Oct 6 2004 Karel Zak <kzak at redhat.com> 0.9.2-1
    
    [plus 117 lines in the Changelog]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2006-November/000946.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?00bdc36c"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected elinks and / or elinks-debuginfo packages."
      );
      script_set_attribute(attribute:"risk_factor", value:"High");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:elinks");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:elinks-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC6", reference:"elinks-0.11.1-5.1")) flag++;
    if (rpm_check(release:"FC6", reference:"elinks-debuginfo-0.11.1-5.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "elinks / elinks-debuginfo");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-1277.NASL
    description - Tue Nov 21 2006 Karel Zak <kzak at redhat.com> 0.11.0-2.4 - fix #215734: CVE-2006-5925 elinks smb protocol arbitrary file access - Mon May 29 2006 Karel Zak <kzak at redhat.com> 0.11.0-2.3 - add buildrequires bzip2-devel, expat-devel,libidn-devel Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24055
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24055
    titleFedora Core 5 : elinks-0.11.0-2.4 (2006-1277)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2006-1277.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24055);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_xref(name:"FEDORA", value:"2006-1277");
    
      script_name(english:"Fedora Core 5 : elinks-0.11.0-2.4 (2006-1277)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - Tue Nov 21 2006 Karel Zak <kzak at redhat.com>
        0.11.0-2.4
    
        - fix #215734: CVE-2006-5925 elinks smb protocol
          arbitrary file access
    
        - Mon May 29 2006 Karel Zak <kzak at redhat.com>
          0.11.0-2.3
    
        - add buildrequires bzip2-devel,
          expat-devel,libidn-devel
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2006-November/000945.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?08fd6a63"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected elinks and / or elinks-debuginfo packages."
      );
      script_set_attribute(attribute:"risk_factor", value:"High");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:elinks");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:elinks-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC5", reference:"elinks-0.11.0-2.4")) flag++;
    if (rpm_check(release:"FC5", reference:"elinks-debuginfo-0.11.0-2.4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "elinks / elinks-debuginfo");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2006-0742.NASL
    descriptionFrom Red Hat Security Advisory 2006:0742 : An updated elinks package that corrects a security vulnerability is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Elinks is a text mode Web browser used from the command line that supports rendering modern web pages. An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks. (CVE-2006-5925) All users of Elinks are advised to upgrade to this updated package, which resolves this issue by removing support for the SMB protocol from Elinks. Note: this issue did not affect the Elinks package shipped with Red Hat Enterprise Linux 3, or the Links package shipped with Red Hat Enterprise Linux 2.1.
    last seen2020-06-01
    modified2020-06-02
    plugin id67426
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67426
    titleOracle Linux 4 : elinks (ELSA-2006-0742)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2006:0742 and 
    # Oracle Linux Security Advisory ELSA-2006-0742 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67426);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/25 13:36:06");
    
      script_cve_id("CVE-2006-5925");
      script_xref(name:"RHSA", value:"2006:0742");
    
      script_name(english:"Oracle Linux 4 : elinks (ELSA-2006-0742)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2006:0742 :
    
    An updated elinks package that corrects a security vulnerability is
    now available for Red Hat Enterprise Linux 4.
    
    This update has been rated as having critical security impact by the
    Red Hat Security Response Team.
    
    Elinks is a text mode Web browser used from the command line that
    supports rendering modern web pages.
    
    An arbitrary file access flaw was found in the Elinks SMB protocol
    handler. A malicious web page could have caused Elinks to read or
    write files with the permissions of the user running Elinks.
    (CVE-2006-5925)
    
    All users of Elinks are advised to upgrade to this updated package,
    which resolves this issue by removing support for the SMB protocol
    from Elinks.
    
    Note: this issue did not affect the Elinks package shipped with Red
    Hat Enterprise Linux 3, or the Links package shipped with Red Hat
    Enterprise Linux 2.1."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2006-November/000021.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected elinks package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:elinks");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"elinks-0.9.2-3.3")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"elinks-0.9.2-3.3")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "elinks");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0742.NASL
    descriptionAn updated elinks package that corrects a security vulnerability is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Elinks is a text mode Web browser used from the command line that supports rendering modern web pages. An arbitrary file access flaw was found in the Elinks SMB protocol handler. A malicious web page could have caused Elinks to read or write files with the permissions of the user running Elinks. (CVE-2006-5925) All users of Elinks are advised to upgrade to this updated package, which resolves this issue by removing support for the SMB protocol from Elinks. Note: this issue did not affect the Elinks package shipped with Red Hat Enterprise Linux 3, or the Links package shipped with Red Hat Enterprise Linux 2.1.
    last seen2020-06-01
    modified2020-06-02
    plugin id23684
    published2006-11-20
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/23684
    titleRHEL 4 : elinks (RHSA-2006:0742)

Oval

accepted2013-04-29T04:12:24.365-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionLinks web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed allows remote attackers to execute arbitrary code via shell metacharacters in an smb:// URI, as demonstrated by using PUT and GET statements.
familyunix
idoval:org.mitre.oval:def:11213
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleLinks web browser 1.00pre12 and Elinks 0.9.2 with smbclient installed allows remote attackers to execute arbitrary code via shell metacharacters in an smb:// URI, as demonstrated by using PUT and GET statements.
version26

Redhat

advisories
bugzilla
id215731
titleCVE-2006-5925 elinks smb protocol arbitrary file access
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • commentelinks is earlier than 0:0.9.2-3.3
      ovaloval:com.redhat.rhsa:tst:20060742001
    • commentelinks is signed with Red Hat master key
      ovaloval:com.redhat.rhsa:tst:20060742002
rhsa
idRHSA-2006:0742
released2006-11-15
severityCritical
titleRHSA-2006:0742: elinks security update (Critical)
rpms
  • elinks-0:0.9.2-3.3
  • elinks-debuginfo-0:0.9.2-3.3

References