Vulnerabilities > CVE-2008-2939 - Cross-site Scripting vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Embedding Scripts in Non-Script Elements This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Cross-Site Scripting in Error Pages An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
- Cross-Site Scripting Using Alternate Syntax The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-731-1.NASL description It was discovered that Apache did not sanitize the method specifier header from an HTTP request when it is returned in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2007-6203) It was discovered that Apache was vulnerable to a cross-site request forgery (CSRF) in the mod_proxy_balancer balancer manager. If an Apache administrator were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands that could modify the balancer manager configuration. This issue only affected Ubuntu 7.10 and 8.04 LTS. (CVE-2007-6420) It was discovered that Apache had a memory leak when using mod_ssl with compression. A remote attacker could exploit this to exhaust server memory, leading to a denial of service. This issue only affected Ubuntu 7.10. (CVE-2008-1678) It was discovered that in certain conditions, Apache did not specify a default character set when returning certain error messages containing UTF-7 encoded data, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-2168) It was discovered that when configured as a proxy server, Apache did not limit the number of forwarded interim responses. A malicious remote server could send a large number of interim responses and cause a denial of service via memory exhaustion. (CVE-2008-2364) It was discovered that mod_proxy_ftp did not sanitize wildcard pathnames when they are returned in directory listings, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2008-2939). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36589 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36589 title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : apache2 vulnerabilities (USN-731-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-731-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(36589); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2007-6203", "CVE-2007-6420", "CVE-2008-1678", "CVE-2008-2168", "CVE-2008-2364", "CVE-2008-2939"); script_bugtraq_id(26663, 27236, 29653, 30560, 31692); script_xref(name:"USN", value:"731-1"); script_name(english:"Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : apache2 vulnerabilities (USN-731-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that Apache did not sanitize the method specifier header from an HTTP request when it is returned in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2007-6203) It was discovered that Apache was vulnerable to a cross-site request forgery (CSRF) in the mod_proxy_balancer balancer manager. If an Apache administrator were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands that could modify the balancer manager configuration. This issue only affected Ubuntu 7.10 and 8.04 LTS. (CVE-2007-6420) It was discovered that Apache had a memory leak when using mod_ssl with compression. A remote attacker could exploit this to exhaust server memory, leading to a denial of service. This issue only affected Ubuntu 7.10. (CVE-2008-1678) It was discovered that in certain conditions, Apache did not specify a default character set when returning certain error messages containing UTF-7 encoded data, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. This issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-2168) It was discovered that when configured as a proxy server, Apache did not limit the number of forwarded interim responses. A malicious remote server could send a large number of interim responses and cause a denial of service via memory exhaustion. (CVE-2008-2364) It was discovered that mod_proxy_ftp did not sanitize wildcard pathnames when they are returned in directory listings, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2008-2939). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/731-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(79, 352, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-event"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-perchild"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-mpm-worker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-prefork-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-src"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-threaded-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:apache2.2-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapr0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libapr0-dev"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|7\.10|8\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 7.10 / 8.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"apache2", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-common", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-doc", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-mpm-perchild", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-mpm-prefork", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-mpm-worker", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-prefork-dev", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-threaded-dev", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"apache2-utils", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libapr0", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libapr0-dev", pkgver:"2.0.55-4ubuntu2.4")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-doc", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-mpm-event", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-mpm-perchild", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-mpm-prefork", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-mpm-worker", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-prefork-dev", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-src", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-threaded-dev", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2-utils", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"apache2.2-common", pkgver:"2.2.4-3ubuntu0.2")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2", pkgver:"2.2.8-1ubuntu0.4")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-doc", pkgver:"2.2.8-1ubuntu0.4")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-mpm-event", pkgver:"2.2.8-1ubuntu0.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-mpm-perchild", pkgver:"2.2.8-1ubuntu0.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-mpm-prefork", pkgver:"2.2.8-1ubuntu0.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-mpm-worker", pkgver:"2.2.8-1ubuntu0.5")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-prefork-dev", pkgver:"2.2.8-1ubuntu0.4")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-src", pkgver:"2.2.8-1ubuntu0.4")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-threaded-dev", pkgver:"2.2.8-1ubuntu0.4")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2-utils", pkgver:"2.2.8-1ubuntu0.4")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"apache2.2-common", pkgver:"2.2.8-1ubuntu0.5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2 / apache2-common / apache2-doc / apache2-mpm-event / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-5628.NASL description Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939). Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420). last seen 2020-06-01 modified 2020-06-02 plugin id 34697 published 2008-11-05 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34697 title openSUSE 10 Security Update : apache2 (apache2-5628) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update apache2-5628. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(34697); script_version ("1.11"); script_cvs_date("Date: 2019/10/25 13:36:32"); script_cve_id("CVE-2007-6420", "CVE-2008-2939"); script_name(english:"openSUSE 10 Security Update : apache2 (apache2-5628)"); script_summary(english:"Check for the apache2-5628 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939). Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420)." ); script_set_attribute( attribute:"solution", value:"Update the affected apache2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_cwe_id(79, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-example-pages"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-worker"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"apache2-2.2.3-26") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"apache2-devel-2.2.3-26") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"apache2-example-pages-2.2.3-26") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"apache2-prefork-2.2.3-26") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"apache2-worker-2.2.3-26") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2 / apache2-devel / apache2-example-pages / apache2-prefork / etc"); }NASL family Web Servers NASL id APACHE_MOD_PROXY_FTP_GLOB_XSS.NASL description The mod_proxy_ftp module in the version of Apache running on the remote host fails to properly sanitize user-supplied URL input before using it to generate dynamic HTML output. Using specially crafted requests for FTP URLs with globbing characters (such as asterisk, tilde, opening square bracket, etc), an attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user last seen 2020-06-01 modified 2020-06-02 plugin id 34433 published 2008-10-16 reporter This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34433 title Apache mod_proxy_ftp Directory Component Wildcard Character Globbing XSS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(34433); script_version("1.22"); script_cve_id("CVE-2008-2939"); script_bugtraq_id(30560); script_name(english:"Apache mod_proxy_ftp Directory Component Wildcard Character Globbing XSS"); script_summary(english:"Checks for mod_proxy_ftp XSS issue"); script_set_attribute(attribute:"synopsis", value: "The remote web server is vulnerable to a cross-site scripting attack." ); script_set_attribute(attribute:"description", value: "The mod_proxy_ftp module in the version of Apache running on the remote host fails to properly sanitize user-supplied URL input before using it to generate dynamic HTML output. Using specially crafted requests for FTP URLs with globbing characters (such as asterisk, tilde, opening square bracket, etc), an attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site." ); script_set_attribute(attribute:"see_also", value:"http://www.rapid7.com/advisories/R7-0033" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/495180/100/0/threaded" ); script_set_attribute(attribute:"see_also", value:"https://archive.apache.org/dist/httpd/CHANGES_2.2"); script_set_attribute(attribute:"see_also", value:"http://httpd.apache.org/security/vulnerabilities_22.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to Apache version 2.2.10 or later. Alternatively, disable the affected module."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(79); script_set_attribute(attribute:"plugin_publication_date", value: "2008/10/16"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:apache:http_server"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("apache_http_version.nasl", "cross_site_scripting.nasl"); script_require_keys("installed_sw/Apache"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); include("audit.inc"); include("install_func.inc"); get_install_count(app_name:"Apache", exit_if_zero:TRUE); port = get_http_port(default:80); install = get_single_install(app_name:"Apache", port:port); get_kb_item_or_exit("www/"+port+"/generic_xss"); banner = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1); backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1); server = strstr(banner, "Server:"); server = server - strstr(server, '\r\n'); # Try to exploit the issue. # # nb: this only works if we can access an FTP server anonymously. ftp_hosts = make_list( get_host_name(), "127.0.0.1", "ftp" ); exploit = string("/*<", SCRIPT_NAME, ">"); sanitized_exploit = string("/*<", SCRIPT_NAME, ">"); foreach ftp_host (ftp_hosts) { soc = http_open_socket(port); if (!soc) exit(0); req = string("GET ftp://", ftp_host, exploit, " HTTP/1.0\r\n\r\n"); r = http_send_recv_buf(port: port, data: req); if (isnull(r)) exit(0); res = strcat(r[0], r[1], '\r\n', r[2]); # There's a problem if we see the exploit. if (string("</a>", exploit, "</h2>") >< res) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); if (report_verbosity) { report = string( "\n", "Nessus was able to verify the issue using the following request : \n", "\n", " ", str_replace(find:'\n', replace:'\n ', string:req), "\n" ); security_warning(port:port, extra:report); } else security_warning(port); exit(0); } # Else if we get a 403... else if ("<title>403 " >< tolower(res)) { # We're not allowed to use the proxy or mod_proxy_ftp isn't loaded. if (string("ftp://", ftp_host, "/*") >< res) break; # Otherwise mod_proxy is not loaded / proxyrequests is off. else if (report_paranoia < 2) exit(0); } # Else if the exploit was sanitized there's definitely not a problem. else if (string("</a>", sanitized_exploit, "</h2>") >< res) exit(0); } # Try a banner check. if (report_paranoia < 2 || backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache"); ver = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1); if (ver =~ "^2\.(0\.([0-9]|[0-5][0-9]|6[0-3])|2\.[0-9])($|[^0-9])") { if (report_verbosity) { report = string( "\n", "Apache version ", ver, " appears to be running on the remote host based\n", "on the following Server response header :\n", "\n", " ", server, "\n", "\n", "Note that Nessus tried but failed to exploit the issue and instead has\n", "relied only on a banner check. There may be several reasons why the\n", "exploit failed :\n", "\n", " - The remote web server is not configured to use\n", " mod_proxy_ftp or to proxy requests in general.\n", "\n", " - The remote web server is configured such that the Nessus\n", " scanning host is not allowed to use the proxy.\n", "\n", " - The plugin did not know of an anonymous FTP server that\n", " it could use for testing.\n" ); security_warning(port:port, extra:report); } else security_warning(port); set_kb_item(name:'www/'+port+'/XSS', value:TRUE); } else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, ver);NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-5767.NASL description Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939) Missing precautions allowed cross-site request forgery (CSRF) via the mod_proxy_balancer interface. (CVE-2007-6420) last seen 2020-06-01 modified 2020-06-02 plugin id 34779 published 2008-11-16 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34779 title SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 5767) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(34779); script_version ("1.15"); script_cvs_date("Date: 2019/10/25 13:36:32"); script_cve_id("CVE-2007-6420", "CVE-2008-2939"); script_name(english:"SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 5767)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939) Missing precautions allowed cross-site request forgery (CSRF) via the mod_proxy_balancer interface. (CVE-2007-6420)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6420.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-2939.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5767."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_cwe_id(79, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"apache2-2.2.3-16.17.7")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"apache2-devel-2.2.3-16.17.7")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"apache2-doc-2.2.3-16.17.7")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"apache2-example-pages-2.2.3-16.17.7")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"apache2-prefork-2.2.3-16.17.7")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"apache2-worker-2.2.3-16.17.7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-5629.NASL description Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939) Missing precautions allowed cross-site request forgery (CSRF) via the mod_proxy_balancer interface. (CVE-2007-6420) last seen 2020-06-01 modified 2020-06-02 plugin id 34698 published 2008-11-05 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34698 title SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 5629) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(34698); script_version ("1.15"); script_cvs_date("Date: 2019/10/25 13:36:32"); script_cve_id("CVE-2007-6420", "CVE-2008-2939"); script_name(english:"SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 5629)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939) Missing precautions allowed cross-site request forgery (CSRF) via the mod_proxy_balancer interface. (CVE-2007-6420)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-6420.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-2939.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5629."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_cwe_id(79, 352); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLES10", sp:1, reference:"apache2-2.2.3-16.17.5")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"apache2-devel-2.2.3-16.17.5")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"apache2-doc-2.2.3-16.17.5")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"apache2-example-pages-2.2.3-16.17.5")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"apache2-prefork-2.2.3-16.17.5")) flag++; if (rpm_check(release:"SLES10", sp:1, reference:"apache2-worker-2.2.3-16.17.5")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"apache2-2.2.3-16.19")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"apache2-devel-2.2.3-16.19")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"apache2-doc-2.2.3-16.19")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"apache2-example-pages-2.2.3-16.19")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"apache2-prefork-2.2.3-16.19")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"apache2-worker-2.2.3-16.19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-195.NASL description A vulnerability was discovered in the mod_proxy module in Apache where it did not limit the number of forwarded interim responses, allowing remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses (CVE-2008-2364). A cross-site scripting vulnerability was found in the mod_proxy_ftp module in Apache that allowed remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). The updated packages have been patched to prevent these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37114 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37114 title Mandriva Linux Security Advisory : apache (MDVSA-2008:195) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:195. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(37114); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2008-2364", "CVE-2008-2939"); script_xref(name:"MDVSA", value:"2008:195"); script_name(english:"Mandriva Linux Security Advisory : apache (MDVSA-2008:195)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in the mod_proxy module in Apache where it did not limit the number of forwarded interim responses, allowing remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses (CVE-2008-2364). A cross-site scripting vulnerability was found in the mod_proxy_ftp module in Apache that allowed remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). The updated packages have been patched to prevent these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(79, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-htcacheclean"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_authn_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_disk_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_file_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_mem_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_userdir"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-event"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-itk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-worker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.1", reference:"apache-base-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-devel-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-htcacheclean-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_authn_dbd-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_cache-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_dav-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_dbd-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_deflate-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_disk_cache-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_file_cache-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_ldap-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_mem_cache-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_proxy-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_proxy_ajp-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_ssl-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mod_userdir-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-modules-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mpm-event-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mpm-itk-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mpm-prefork-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-mpm-worker-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"apache-source-2.2.4-6.5mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-base-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-devel-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-htcacheclean-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_authn_dbd-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_cache-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_dav-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_dbd-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_deflate-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_disk_cache-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_file_cache-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_ldap-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_mem_cache-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_proxy-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_proxy_ajp-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_ssl-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_userdir-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-modules-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-event-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-itk-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-prefork-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-worker-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-source-2.2.6-8.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-base-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-devel-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-htcacheclean-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_authn_dbd-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_cache-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_dav-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_dbd-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_deflate-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_disk_cache-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_file_cache-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_ldap-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_mem_cache-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_proxy-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_proxy_ajp-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_ssl-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_userdir-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-modules-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-event-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-itk-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-prefork-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-worker-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-source-2.2.8-6.1mdv2008.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-124.NASL description Multiple vulnerabilities has been found and corrected in apache : Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). This update provides fixes for these vulnerabilities. Update : The patch for fixing CVE-2009-1195 for Mandriva Linux 2008.1 was incomplete, this update addresses the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 39761 published 2009-06-01 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/39761 title Mandriva Linux Security Advisory : apache (MDVSA-2009:124-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:124. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(39761); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:51"); script_cve_id("CVE-2008-1678", "CVE-2008-2939", "CVE-2009-1195"); script_bugtraq_id(30560, 31692, 35115); script_xref(name:"MDVSA", value:"2009:124-1"); script_name(english:"Mandriva Linux Security Advisory : apache (MDVSA-2009:124-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been found and corrected in apache : Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). This update provides fixes for these vulnerabilities. Update : The patch for fixing CVE-2009-1195 for Mandriva Linux 2008.1 was incomplete, this update addresses the problem." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(16, 79, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-htcacheclean"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_authn_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_disk_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_file_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_mem_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_userdir"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-event"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-itk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-worker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.1", reference:"apache-base-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-devel-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-htcacheclean-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_authn_dbd-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_cache-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_dav-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_dbd-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_deflate-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_disk_cache-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_file_cache-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_ldap-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_mem_cache-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_proxy-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_proxy_ajp-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_ssl-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mod_userdir-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-modules-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-event-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-itk-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-prefork-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-mpm-worker-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"apache-source-2.2.8-6.4mdv2008.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Scientific Linux Local Security Checks NASL id SL_20081111_HTTPD_ON_SL3_X.NASL description A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 60493 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60493 title Scientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60493); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:18"); script_cve_id("CVE-2008-2364", "CVE-2008-2939"); script_name(english:"Scientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the 'ProxyRemoteMatch' directive in the Scientific Linux 4 httpd packages. This bug is not present in the Scientific Linux 3 or Scientific Linux 5 packages." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0811&L=scientific-linux-errata&T=0&P=1054 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8aa18fc2" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(79, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL3", reference:"httpd-2.0.46-71.sl3")) flag++; if (rpm_check(release:"SL3", reference:"httpd-devel-2.0.46-71.sl3")) flag++; if (rpm_check(release:"SL3", reference:"mod_ssl-2.0.46-71.sl3")) flag++; if (rpm_check(release:"SL4", reference:"httpd-2.0.52-41.sl4.2")) flag++; if (rpm_check(release:"SL4", reference:"httpd-devel-2.0.52-41.sl4.2")) flag++; if (rpm_check(release:"SL4", reference:"httpd-manual-2.0.52-41.sl4.2")) flag++; if (rpm_check(release:"SL4", reference:"httpd-suexec-2.0.52-41.sl4.2")) flag++; if (rpm_check(release:"SL4", reference:"mod_ssl-2.0.52-41.sl4.2")) flag++; if (rpm_check(release:"SL5", reference:"httpd-2.2.3-11.sl5.4")) flag++; if (rpm_check(release:"SL5", reference:"httpd-devel-2.2.3-11.sl5.4")) flag++; if (rpm_check(release:"SL5", reference:"httpd-manual-2.2.3-11.sl5.4")) flag++; if (rpm_check(release:"SL5", reference:"mod_ssl-2.2.3-11.sl5.4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-323.NASL description Multiple vulnerabilities has been found and corrected in apache : Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request (CVE-2009-1191). Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests (CVE-2009-1890). Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects (CVE-2009-1891). The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command (CVE-2009-3094). The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes (CVE-2009-3095). Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation (CVE-2009-3555). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 43042 published 2009-12-08 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43042 title Mandriva Linux Security Advisory : apache (MDVSA-2009:323) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:323. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(43042); script_version("1.27"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2008-1678", "CVE-2008-2939", "CVE-2009-1191", "CVE-2009-1195", "CVE-2009-1890", "CVE-2009-1891", "CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555"); script_bugtraq_id(30560, 31692, 34663, 35115, 35565, 35623, 36254, 36260, 36935); script_xref(name:"MDVSA", value:"2009:323"); script_name(english:"Mandriva Linux Security Advisory : apache (MDVSA-2009:323)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been found and corrected in apache : Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request (CVE-2009-1191). Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests (CVE-2009-1890). Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects (CVE-2009-1891). The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command (CVE-2009-3094). The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes (CVE-2009-3095). Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation (CVE-2009-3555). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities." ); script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(16, 20, 79, 119, 189, 264, 310, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-htcacheclean"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_authn_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_dbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_disk_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_file_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_mem_cache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_proxy_ajp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mod_userdir"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-event"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-itk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-mpm-worker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apache-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"apache-base-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-devel-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-htcacheclean-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_authn_dbd-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_cache-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_dav-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_dbd-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_deflate-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_disk_cache-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_file_cache-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_ldap-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_mem_cache-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_proxy-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_ssl-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mod_userdir-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-modules-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-event-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-itk-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-prefork-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-mpm-worker-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"apache-source-2.2.6-8.3mdv2008.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0967.NASL description From Red Hat Security Advisory 2008:0967 : Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 67760 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67760 title Oracle Linux 3 / 4 / 5 : httpd (ELSA-2008-0967) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0967 and # Oracle Linux Security Advisory ELSA-2008-0967 respectively. # include("compat.inc"); if (description) { script_id(67760); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2008-2364", "CVE-2008-2939"); script_bugtraq_id(29653, 30560); script_xref(name:"RHSA", value:"2008:0967"); script_name(english:"Oracle Linux 3 / 4 / 5 : httpd (ELSA-2008-0967)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2008:0967 : Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the 'ProxyRemoteMatch' directive in the Red Hat Enterprise Linux 4 httpd packages. This bug is not present in the Red Hat Enterprise Linux 3 or Red Hat Enterprise Linux 5 packages. Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000795.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000796.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000797.html" ); script_set_attribute( attribute:"solution", value:"Update the affected httpd packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(79, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-suexec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3 / 4 / 5", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL3", cpu:"i386", reference:"httpd-2.0.46-71.ent.0.1")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"httpd-2.0.46-71.ent.0.1")) flag++; if (rpm_check(release:"EL3", cpu:"i386", reference:"httpd-devel-2.0.46-71.ent.0.1")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"httpd-devel-2.0.46-71.ent.0.1")) flag++; if (rpm_check(release:"EL3", cpu:"i386", reference:"mod_ssl-2.0.46-71.ent.0.1")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"mod_ssl-2.0.46-71.ent.0.1")) flag++; if (rpm_check(release:"EL4", reference:"httpd-2.0.52-41.ent.2.0.1")) flag++; if (rpm_check(release:"EL4", reference:"httpd-devel-2.0.52-41.ent.2.0.1")) flag++; if (rpm_check(release:"EL4", reference:"httpd-manual-2.0.52-41.ent.2.0.1")) flag++; if (rpm_check(release:"EL4", reference:"httpd-suexec-2.0.52-41.ent.2.0.1")) flag++; if (rpm_check(release:"EL4", reference:"mod_ssl-2.0.52-41.ent.2.0.1")) flag++; if (rpm_check(release:"EL5", reference:"httpd-2.2.3-11.0.1.el5_2.4")) flag++; if (rpm_check(release:"EL5", reference:"httpd-devel-2.2.3-11.0.1.el5_2.4")) flag++; if (rpm_check(release:"EL5", reference:"httpd-manual-2.2.3-11.0.1.el5_2.4")) flag++; if (rpm_check(release:"EL5", reference:"mod_ssl-2.2.3-11.0.1.el5_2.4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl"); }NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_7.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38744 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38744 title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if (description) { script_id(38744); script_version("1.32"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2004-1184", "CVE-2004-1185", "CVE-2004-1186", "CVE-2008-0456", "CVE-2008-1382", "CVE-2008-1517", "CVE-2008-2371", "CVE-2008-2383", "CVE-2008-2665", "CVE-2008-2666", "CVE-2008-2829", "CVE-2008-2939", "CVE-2008-3443", "CVE-2008-3529", "CVE-2008-3530", "CVE-2008-3651", "CVE-2008-3652", "CVE-2008-3655", "CVE-2008-3656", "CVE-2008-3657", "CVE-2008-3658", "CVE-2008-3659", "CVE-2008-3660", "CVE-2008-3790", "CVE-2008-3863", "CVE-2008-4309", "CVE-2008-5077", "CVE-2008-5557", "CVE-2009-0010", "CVE-2009-0021", "CVE-2009-0025", "CVE-2009-0040", "CVE-2009-0114", "CVE-2009-0144", "CVE-2009-0145", "CVE-2009-0146", "CVE-2009-0147", "CVE-2009-0148", "CVE-2009-0149", "CVE-2009-0150", "CVE-2009-0152", "CVE-2009-0153", "CVE-2009-0154", "CVE-2009-0155", "CVE-2009-0156", "CVE-2009-0157", "CVE-2009-0158", "CVE-2009-0159", "CVE-2009-0160", "CVE-2009-0161", "CVE-2009-0162", "CVE-2009-0164", "CVE-2009-0165", "CVE-2009-0519", "CVE-2009-0520", "CVE-2009-0844", "CVE-2009-0845", "CVE-2009-0846", "CVE-2009-0847", "CVE-2009-0942", "CVE-2009-0943", "CVE-2009-0944", "CVE-2009-0945", "CVE-2009-0946", "CVE-2009-1717"); script_bugtraq_id(27409, 29796, 30087, 30649, 30657, 31612, 32948, 33769, 33890, 34257, 34408, 34409, 34481, 34550, 34568, 34665, 34805, 34924, 34932, 34937, 34938, 34939, 34941, 34942, 34947, 34948, 34950, 34951, 34952, 34958, 34959, 34962, 34965, 34972, 34973, 34974, 35182); script_name(english:"Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities"); script_summary(english:"Check the version of Mac OS X"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT3549" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2009/May/msg00002.html" ); script_set_attribute( attribute:"solution", value:"Upgrade to Mac OS X 10.5.7 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16, 20, 22, 79, 94, 119, 189, 200, 264, 287, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2009/05/13"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/01/21"); script_set_attribute(attribute:"patch_publication_date", value: "2009/05/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } os = get_kb_item("Host/MacOSX/Version"); if (!os) os = get_kb_item("Host/OS"); if (!os) exit(0); if (ereg(pattern:"Mac OS X 10\.5\.[0-6]([^0-9]|$)", string:os)) security_hole(0);NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0967.NASL description Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 34751 published 2008-11-12 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34751 title RHEL 3 / 4 / 5 : httpd (RHSA-2008:0967) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0967. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(34751); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:13"); script_cve_id("CVE-2008-2364", "CVE-2008-2939"); script_bugtraq_id(29653, 30560); script_xref(name:"RHSA", value:"2008:0967"); script_name(english:"RHEL 3 / 4 / 5 : httpd (RHSA-2008:0967)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the 'ProxyRemoteMatch' directive in the Red Hat Enterprise Linux 4 httpd packages. This bug is not present in the Red Hat Enterprise Linux 3 or Red Hat Enterprise Linux 5 packages. Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-2364" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-2939" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2008:0967" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(79, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd-suexec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2008:0967"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"httpd-2.0.46-71.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"httpd-devel-2.0.46-71.ent")) flag++; if (rpm_check(release:"RHEL3", reference:"mod_ssl-2.0.46-71.ent")) flag++; if (rpm_check(release:"RHEL4", reference:"httpd-2.0.52-41.ent.2")) flag++; if (rpm_check(release:"RHEL4", reference:"httpd-devel-2.0.52-41.ent.2")) flag++; if (rpm_check(release:"RHEL4", reference:"httpd-manual-2.0.52-41.ent.2")) flag++; if (rpm_check(release:"RHEL4", reference:"httpd-suexec-2.0.52-41.ent.2")) flag++; if (rpm_check(release:"RHEL4", reference:"mod_ssl-2.0.52-41.ent.2")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"httpd-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"httpd-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"httpd-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", reference:"httpd-devel-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"httpd-manual-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"httpd-manual-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"httpd-manual-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"mod_ssl-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"mod_ssl-2.2.3-11.el5_2.4")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"mod_ssl-2.2.3-11.el5_2.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl"); } }NASL family SuSE Local Security Checks NASL id SUSE_11_0_APACHE2-080925.NASL description Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939). Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420). A memory leak in the ssl module could crash apache (CVE-2008-1678) last seen 2020-06-01 modified 2020-06-02 plugin id 39910 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39910 title openSUSE Security Update : apache2 (apache2-222) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update apache2-222. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(39910); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:31"); script_cve_id("CVE-2007-6420", "CVE-2008-1678", "CVE-2008-2939"); script_name(english:"openSUSE Security Update : apache2 (apache2-222)"); script_summary(english:"Check for the apache2-222 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939). Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420). A memory leak in the ssl module could crash apache (CVE-2008-1678)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=210904" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=373903" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=392096" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=415061" ); script_set_attribute( attribute:"solution", value:"Update the affected apache2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(79, 352, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-example-pages"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-worker"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"apache2-2.2.8-28.2") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"apache2-devel-2.2.8-28.2") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"apache2-example-pages-2.2.8-28.2") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"apache2-prefork-2.2.8-28.2") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"apache2-utils-2.2.8-28.2") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"apache2-worker-2.2.8-28.2") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2 / apache2-devel / apache2-example-pages / apache2-prefork / etc"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0967.NASL description Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 37062 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37062 title CentOS 3 / 4 / 5 : httpd (CESA-2008:0967) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0967 and # CentOS Errata and Security Advisory 2008:0967 respectively. # include("compat.inc"); if (description) { script_id(37062); script_version("1.17"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2008-2364", "CVE-2008-2939"); script_bugtraq_id(29653, 30560); script_xref(name:"RHSA", value:"2008:0967"); script_name(english:"CentOS 3 / 4 / 5 : httpd (CESA-2008:0967)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated httpd packages that resolve several security issues and fix a bug are now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular Web server. A flaw was found in the mod_proxy Apache module. An attacker in control of a Web server to which requests were being proxied could have caused a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp Apache module. If Apache was configured to support FTP-over-HTTP proxying, a remote attacker could have performed a cross-site scripting attack. (CVE-2008-2939) In addition, these updated packages fix a bug found in the handling of the 'ProxyRemoteMatch' directive in the Red Hat Enterprise Linux 4 httpd packages. This bug is not present in the Red Hat Enterprise Linux 3 or Red Hat Enterprise Linux 5 packages. Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015395.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cf4faef4" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015396.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c5584c31" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015399.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c5c64772" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015400.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?300b95f6" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015404.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1b4b12b1" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015410.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ac57a22a" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015411.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?01627d34" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015418.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dcfed5a6" ); script_set_attribute( attribute:"solution", value:"Update the affected httpd packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(79, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:httpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:httpd-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:httpd-manual"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:httpd-suexec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x / 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"httpd-2.0.46-71.ent.centos")) flag++; if (rpm_check(release:"CentOS-3", reference:"httpd-devel-2.0.46-71.ent.centos")) flag++; if (rpm_check(release:"CentOS-3", reference:"mod_ssl-2.0.46-71.ent.centos")) flag++; if (rpm_check(release:"CentOS-4", reference:"httpd-2.0.52-41.ent.2.centos4")) flag++; if (rpm_check(release:"CentOS-4", reference:"httpd-devel-2.0.52-41.ent.2.centos4")) flag++; if (rpm_check(release:"CentOS-4", reference:"httpd-manual-2.0.52-41.ent.2.centos4")) flag++; if (rpm_check(release:"CentOS-4", reference:"httpd-suexec-2.0.52-41.ent.2.centos4")) flag++; if (rpm_check(release:"CentOS-4", reference:"mod_ssl-2.0.52-41.ent.2.centos4")) flag++; if (rpm_check(release:"CentOS-5", reference:"httpd-2.2.3-11.el5_2.centos.4")) flag++; if (rpm_check(release:"CentOS-5", reference:"httpd-devel-2.2.3-11.el5_2.centos.4")) flag++; if (rpm_check(release:"CentOS-5", reference:"httpd-manual-2.2.3-11.el5_2.centos.4")) flag++; if (rpm_check(release:"CentOS-5", reference:"mod_ssl-2.2.3-11.el5_2.centos.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / httpd-suexec / mod_ssl"); }NASL family SuSE Local Security Checks NASL id SUSE9_12258.NASL description Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939) last seen 2020-06-01 modified 2020-06-02 plugin id 41245 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41245 title SuSE9 Security Update : Apache 2 (YOU Patch Number 12258) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41245); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:31"); script_cve_id("CVE-2008-2939"); script_name(english:"SuSE9 Security Update : Apache 2 (YOU Patch Number 12258)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Missing sanity checks of FTP URLs allowed cross-site scripting (XSS) attacks via the mod_prody_ftp module. (CVE-2008-2939)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-2939.html" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12258."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_cwe_id(79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"apache2-2.0.59-1.10")) flag++; if (rpm_check(release:"SUSE9", reference:"apache2-devel-2.0.59-1.10")) flag++; if (rpm_check(release:"SUSE9", reference:"apache2-doc-2.0.59-1.10")) flag++; if (rpm_check(release:"SUSE9", reference:"apache2-example-pages-2.0.59-1.10")) flag++; if (rpm_check(release:"SUSE9", reference:"apache2-prefork-2.0.59-1.10")) flag++; if (rpm_check(release:"SUSE9", reference:"apache2-worker-2.0.59-1.10")) flag++; if (rpm_check(release:"SUSE9", reference:"libapr0-2.0.59-1.10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_APACHE2-5648.NASL description Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939). Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420). A memory leak in the ssl module could crash apache (CVE-2008-1678) last seen 2020-06-01 modified 2020-06-02 plugin id 34699 published 2008-11-05 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34699 title openSUSE 10 Security Update : apache2 (apache2-5648) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update apache2-5648. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(34699); script_version ("1.9"); script_cvs_date("Date: 2019/10/25 13:36:32"); script_cve_id("CVE-2007-6420", "CVE-2008-1678", "CVE-2008-2939"); script_name(english:"openSUSE 10 Security Update : apache2 (apache2-5648)"); script_summary(english:"Check for the apache2-5648 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Missing sanity checks of FTP URLs allowed cross site scripting (XSS) attacks via the mod_proxy_ftp module (CVE-2008-2939). Missing precautions allowed cross site request forgery (CSRF) via the mod_proxy_balancer interface (CVE-2007-6420). A memory leak in the ssl module could crash apache (CVE-2008-1678)" ); script_set_attribute( attribute:"solution", value:"Update the affected apache2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_cwe_id(79, 352, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-example-pages"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-prefork"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-worker"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.3", reference:"apache2-2.2.4-70.6") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"apache2-devel-2.2.4-70.6") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"apache2-example-pages-2.2.4-70.6") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"apache2-prefork-2.2.4-70.6") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"apache2-utils-2.2.4-70.6") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"apache2-worker-2.2.4-70.6") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2 / apache2-devel / apache2-example-pages / apache2-prefork / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F18920660E7411DE92DE000BCDC1757A.NASL description CVE Mitre reports : Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. last seen 2020-06-01 modified 2020-06-02 plugin id 35911 published 2009-03-12 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35911 title FreeBSD : apache -- XSS vulnerability (f1892066-0e74-11de-92de-000bcdc1757a) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(35911); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:40"); script_cve_id("CVE-2008-2939"); script_name(english:"FreeBSD : apache -- XSS vulnerability (f1892066-0e74-11de-92de-000bcdc1757a)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "CVE Mitre reports : Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI." ); # http://www.rapid7.com/advisories/R7-0033.jsp script_set_attribute( attribute:"see_also", value:"https://help.rapid7.com/?community#/?tags=disclosure" ); # https://vuxml.freebsd.org/freebsd/f1892066-0e74-11de-92de-000bcdc1757a.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?42a041e3" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_cwe_id(79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/25"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"apache>2.2.0<2.2.9_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache>2.0.0<2.0.63_2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Web Servers NASL id APACHE_2_0_64.NASL description According to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities : - An unspecified error exists in the handling of requests without a path segment. (CVE-2010-1452) - Several modules, including last seen 2020-06-01 modified 2020-06-02 plugin id 50069 published 2010-10-20 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50069 title Apache 2.0.x < 2.0.64 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50069); script_cvs_date("Date: 2018/06/29 12:01:03"); script_version("1.33"); script_cve_id( "CVE-2008-2364", "CVE-2008-2939", "CVE-2009-1891", "CVE-2009-2412", "CVE-2009-3094", "CVE-2009-3095", "CVE-2009-3555", "CVE-2009-3560", "CVE-2009-3720", "CVE-2010-0425", "CVE-2010-0434", "CVE-2010-1452", "CVE-2010-1623" ); script_bugtraq_id(29653, 30560, 35949, 38494); script_xref(name:"Secunia", value:"30261"); script_xref(name:"Secunia", value:"31384"); script_xref(name:"Secunia", value:"35781"); script_xref(name:"Secunia", value:"36549"); script_xref(name:"Secunia", value:"36675"); script_xref(name:"Secunia", value:"38776"); script_name(english:"Apache 2.0.x < 2.0.64 Multiple Vulnerabilities"); script_summary(english:"Checks version in Server response header"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities : - An unspecified error exists in the handling of requests without a path segment. (CVE-2010-1452) - Several modules, including 'mod_deflate', are vulnerable to a denial of service attack as the server can be forced to utilize CPU time compressing a large file after client disconnect. (CVE-2009-1891) - An unspecified error exists in 'mod_proxy' related to filtration of authentication credentials. (CVE-2009-3095) - A NULL pointer dereference issue exists in 'mod_proxy_ftp' in some error handling paths. (CVE-2009-3094) - An error exists in 'mod_ssl' making the server vulnerable to the TLC renegotiation prefix injection attack. (CVE-2009-3555) - An error exists in the handling of subrequests such that the parent request headers may be corrupted. (CVE-2010-0434) - An error exists in 'mod_proxy_http' when handling excessive interim responses making it vulnerable to a denial of service attack. (CVE-2008-2364) - An error exists in 'mod_isapi' that allows the module to be unloaded too early, which leaves orphaned callback pointers. (CVE-2010-0425) - An error exists in 'mod_proxy_ftp' when wildcards are in an FTP URL, which allows for cross-site scripting attacks. (CVE-2008-2939) Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves." ); script_set_attribute(attribute:"see_also", value:"https://archive.apache.org/dist/httpd/CHANGES_2.0.64"); # https://web.archive.org/web/20101028103804/http://httpd.apache.org/security/vulnerabilities_20.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6dea6c32"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache version 2.0.64 or later. Alternatively, ensure that the affected modules are not in use."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(79, 119, 189, 200, 264, 310, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2008/06/10"); script_set_attribute(attribute:"patch_publication_date", value:"2010/10/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/20"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("apache_http_version.nasl"); script_require_keys("installed_sw/Apache"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("install_func.inc"); get_install_count(app_name:"Apache", exit_if_zero:TRUE); port = get_http_port(default:80); install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE); # Check if we could get a version first, then check if it was # backported version = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1); backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache"); source = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1); # Check if the version looks like either ServerTokens Major/Minor # was used if (version =~ '^2(\\.0)?$') exit(1, "The banner from the Apache server listening on port "+port+" - "+source+" - is not granular enough to make a determination."); if (version !~ "^\d+(\.\d+)*$") exit(1, "The version of Apache listening on port " + port + " - " + version + " - is non-numeric and, therefore, cannot be used to make a determination."); if (version =~ '^2\\.0' && ver_compare(ver:version, fix:'2.0.64') == -1) { set_kb_item(name:"www/"+port+"/XSS", value:TRUE); if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 2.0.64\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-002.NASL description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied. This security update contains fixes for the following products : - Apache - ATS - BIND - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - IPSec - Kerberos - Launch Services - libxml - Net-SNMP - Network Time - OpenSSL - QuickDraw Manager - Spotlight - system_cmds - telnet - Terminal - X11 last seen 2020-06-01 modified 2020-06-02 plugin id 38743 published 2009-05-13 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38743 title Mac OS X Multiple Vulnerabilities (Security Update 2009-002) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if (description) { script_id(38743); script_version("1.24"); script_cve_id("CVE-2004-1184", "CVE-2004-1185", "CVE-2004-1186", "CVE-2006-0747", "CVE-2007-2754", "CVE-2008-2939", "CVE-2008-3529", "CVE-2008-3651", "CVE-2008-3652", "CVE-2008-3790", "CVE-2008-3863", "CVE-2008-4309", "CVE-2008-5077", "CVE-2009-0010", "CVE-2009-0021", "CVE-2009-0025", "CVE-2009-0114", "CVE-2009-0145", "CVE-2009-0146", "CVE-2009-0147", "CVE-2009-0148", "CVE-2009-0149", "CVE-2009-0154", "CVE-2009-0156", "CVE-2009-0158", "CVE-2009-0159", "CVE-2009-0160", "CVE-2009-0164", "CVE-2009-0165", "CVE-2009-0519", "CVE-2009-0520", "CVE-2009-0846", "CVE-2009-0847", "CVE-2009-0942", "CVE-2009-0943", "CVE-2009-0944", "CVE-2009-0946"); script_bugtraq_id(30087, 30657, 33890, 34408, 34409, 34481, 34550, 34568, 34665, 34805, 34932, 34937, 34938, 34939, 34941, 34942, 34947, 34948, 34950, 34952, 34962); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-002)"); script_summary(english:"Check for the presence of Security Update 2009-002"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied. This security update contains fixes for the following products : - Apache - ATS - BIND - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - IPSec - Kerberos - Launch Services - libxml - Net-SNMP - Network Time - OpenSSL - QuickDraw Manager - Spotlight - system_cmds - telnet - Terminal - X11" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT3549" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2009/May/msg00002.html" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2009-002 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 94, 119, 189, 200, 287, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2009/05/13"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/01/21"); script_set_attribute(attribute:"patch_publication_date", value: "2009/05/12"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } # uname = get_kb_item("Host/uname"); if (!uname) exit(0); if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages"); if (!packages) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?(2009-00[2-5]|20[1-9][0-9]-)", string:packages)) security_hole(0); }
Oval
accepted 2013-04-29T04:13:10.856-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. family unix id oval:org.mitre.oval:def:11316 status accepted submitted 2010-07-09T03:56:16-04:00 title Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. version 27 accepted 2014-07-14T04:01:28.254-04:00 class vulnerability contributors name J. Daniel Brown organization DTCC name Mike Lah organization The MITRE Corporation name Mike Lah organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Apache HTTP Server 2.0.x is installed on the system oval oval:org.mitre.oval:def:8605 comment Apache HTTP Server 2.2.x is installed on the system oval oval:org.mitre.oval:def:8550
description Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. family windows id oval:org.mitre.oval:def:7716 status accepted submitted 2010-03-08T17:30:00.000-05:00 title Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability version 12
Packetstorm
| data source | https://packetstormsecurity.com/files/download/126851/protonmail-csrfheader.txt |
| id | PACKETSTORM:126851 |
| last seen | 2016-12-05 |
| published | 2014-05-30 |
| reporter | Juan Carlos Garcia |
| source | https://packetstormsecurity.com/files/126851/ProtonMail.ch-Header-Injection-CSRF.html |
| title | ProtonMail.ch Header Injection / CSRF |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description BUGTRAQ ID: 30560 CVE(CAN) ID: CVE-2008-2939 Apache HTTP Server是一款流行的Web服务器。 如果将Apache HTTP Server配置了代理支持(配置文件中ProxyRequests On)且启用了mod_proxy_ftp模块以提供HTTP上FTP支持的话,则类似于以下的包含有通配符字符(“*”、“'”、“[”等)的请求: GET ftp://host/*<foo> HTTP/1.0 就会在mod_proxy_ftp所返回的响应中导致跨站脚本攻击: [...] <h2>Directory of <a href="/">ftp://host</a>/*<foo></h2> [...] 如果要利用这个漏洞,host必须运行在FTP服务器上,路径最后一个目录组件(XSS负载)必须包含有至少一个通配符字,且不能包含有斜线。 Apache Group Apache 2.2.9 Apache Group Apache 2.0.63 Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://svn.apache.org/viewvc?view=rev&revision=682868 target=_blank>http://svn.apache.org/viewvc?view=rev&revision=682868</a> id SSV:3804 last seen 2017-11-19 modified 2008-08-08 published 2008-08-08 reporter Root source https://www.seebug.org/vuldb/ssvid-3804 title Apache mod_proxy_ftp模块通配符字符跨站脚本漏洞 bulletinFamily exploit description BUGTRAQ ID: CVE ID:CVE-2008-2939 CNCVE ID:CNCVE-20082939 IBM HTTP Server是一款HTTP服务程序。 IBM HTTP Server "mod_proxy_ftp"存在输入验证问题,远程攻击者可以利用漏洞进行跨站脚本攻击,获得敏感信息。 目前没有详细解决方案提供。 IBM HTTP Server 6.0.x 厂商解决方案 可参考如下安全公告获得补丁信息: <a href=http://www-01.ibm.com/support/docview.wss?uid=swg27007033 target=_blank rel=external nofollow>http://www-01.ibm.com/support/docview.wss?uid=swg27007033</a> id SSV:4786 last seen 2017-11-19 modified 2009-02-16 published 2009-02-16 reporter Root title IBM HTTP Server mod_proxy_ftp 跨站脚本漏洞
Statements
| contributor | Mark J Cox |
| lastmodified | 2008-11-12 |
| organization | Red Hat |
| statement | These issue was addressed in all affected httpd versions as shipped in Red Hat Enterprise Linux 3, 4, and 5 were fixed via: https://rhn.redhat.com/errata/RHSA-2008-0967.html This issue is tracked via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-2939 The Red Hat Security Response Team has rated this issue as having low security impact, future updates may address this flaw in other affected products (such as Red Hat Application Stack). |
References
- http://svn.apache.org/viewvc?view=rev&revision=682868
- http://svn.apache.org/viewvc?view=rev&revision=682871
- http://www.securityfocus.com/bid/30560
- http://secunia.com/advisories/31384
- http://www.rapid7.com/advisories/R7-0033
- http://secunia.com/advisories/31673
- http://www.kb.cert.org/vuls/id/663763
- http://www.securitytracker.com/id?1020635
- http://www-1.ibm.com/support/docview.wss?uid=swg1PK70197
- http://svn.apache.org/viewvc?view=rev&revision=682870
- http://www-1.ibm.com/support/docview.wss?uid=swg1PK70937
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:195
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:194
- http://secunia.com/advisories/32685
- http://rhn.redhat.com/errata/RHSA-2008-0967.html
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.html
- http://www.redhat.com/support/errata/RHSA-2008-0966.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1
- http://secunia.com/advisories/33156
- http://marc.info/?l=bugtraq&m=123376588623823&w=2
- http://secunia.com/advisories/33797
- http://secunia.com/advisories/32838
- http://wiki.rpath.com/Advisories:rPSA-2008-0327
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328
- http://www.ubuntu.com/usn/USN-731-1
- http://secunia.com/advisories/34219
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://support.apple.com/kb/HT3549
- http://www.us-cert.gov/cas/techalerts/TA09-133A.html
- http://secunia.com/advisories/35074
- http://www.vupen.com/english/advisories/2009/1297
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:124
- http://marc.info/?l=bugtraq&m=125631037611762&w=2
- http://www.vupen.com/english/advisories/2009/0320
- http://www.vupen.com/english/advisories/2008/2315
- http://www.vupen.com/english/advisories/2008/2461
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44223
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7716
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11316
- http://www.securityfocus.com/archive/1/498567/100/0/threaded
- http://www.securityfocus.com/archive/1/498566/100/0/threaded
- http://www.securityfocus.com/archive/1/495180/100/0/threaded
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E