Vulnerabilities > CVE-2009-1195 - Configuration vulnerability in Apache Http Server

#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);
if (NASL_LEVEL < 3000) exit(0);


include("compat.inc");


if (description)
{
  script_id(42433);
  script_version("1.27");

  script_cve_id(
    "CVE-2007-5707",
    "CVE-2007-6698",
    "CVE-2008-0658",
    "CVE-2008-5161",
    "CVE-2009-0023",
    "CVE-2009-1191",
    "CVE-2009-1195",
    "CVE-2009-1574",
    "CVE-2009-1632",
    "CVE-2009-1890",
    "CVE-2009-1891",
    "CVE-2009-1955",
    "CVE-2009-1956",
    "CVE-2009-2408",
    "CVE-2009-2409",
    "CVE-2009-2411",
    "CVE-2009-2412",
    "CVE-2009-2414",
    "CVE-2009-2416",
    "CVE-2009-2666",
    "CVE-2009-2808",
    "CVE-2009-2818",
    "CVE-2009-2819",
    "CVE-2009-2820",
    "CVE-2009-2823",
    "CVE-2009-2824",
    "CVE-2009-2825",
    "CVE-2009-2826",
    "CVE-2009-2827",
    "CVE-2009-2828",
    "CVE-2009-2829",
    "CVE-2009-2831",
    "CVE-2009-2832",
    "CVE-2009-2833",
    "CVE-2009-2834",
    "CVE-2009-2837",
    "CVE-2009-2838",
    "CVE-2009-2839",
    "CVE-2009-2840",
    "CVE-2009-3111",
    "CVE-2009-3291",
    "CVE-2009-3292",
    "CVE-2009-3293"
  );
  script_bugtraq_id(
    26245,
    27778,
    34663,
    35115,
    35221,
    35251,
    35565,
    35623,
    35888,
    35983,
    36263,
    36449,
    36959,
    36961,
    36962,
    36963,
    36964,
    36966,
    36967,
    36972,
    36973,
    36975,
    36977,
    36978,
    36979,
    36982,
    36985,
    36988,
    36990
  );

  script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-006)");
  script_summary(english:"Check for the presence of Security Update 2009-006");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host is missing a Mac OS X update that fixes various
security issues."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is running a version of Mac OS X 10.5 that does not
have Security Update 2009-006 applied.

This security update contains fixes for the following products :

  - AFP Client
  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - ATS
  - Certificate Assistant
  - CoreGraphics
  - CUPS
  - Dictionary
  - DirectoryService
  - Disk Images
  - Event Monitor
  - fetchmail
  - FTP Server
  - Help Viewer
  - International Components for Unicode
  - IOKit
  - IPSec
  - libsecurity
  - libxml
  - OpenLDAP
  - OpenSSH
  - PHP
  - QuickDraw Manager
  - QuickLook
  - FreeRADIUS
  - Screen Sharing
  - Spotlight
  - Subversion"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://support.apple.com/kb/HT3937"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.securityfocus.com/advisories/18255"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Install Security Update 2009-006 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_cwe_id(16, 20, 79, 119, 189, 200, 255, 264, 310, 399);
  script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/09");
  script_cvs_date("Date: 2018/07/16 12:48:31");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");
  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages", "Host/uname");

  exit(0);
}


uname = get_kb_item("Host/uname");
if (!uname) exit(1, "The 'Host/uname' KB item is missing.");

pat = "^.+Darwin.* ([0-9]+\.[0-9.]+).*$";
if (!ereg(pattern:pat, string:uname)) exit(1, "Can't identify the Darwin kernel version from the uname output ("+uname+").");

darwin = ereg_replace(pattern:pat, replace:"\1", string:uname);
if (ereg(pattern:"^(9\.[0-8]\.)", string:darwin))
{
  packages = get_kb_item("Host/MacOSX/packages/boms");
  if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing.");

  if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[6-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages))
    exit(0, "The host has Security Update 2009-006 or later installed and therefore is not affected.");
  else
    security_hole(0);
}
else exit(0, "The host is running Darwin kernel version "+darwin+" and therefore is not affected.");

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(40823);
  script_version("1.13");
  script_cvs_date("Date: 2018/08/06 14:03:16");

  script_cve_id(
    "CVE-2009-0899", 
    "CVE-2009-1195", 
    "CVE-2009-1898",
    "CVE-2009-1899",
    "CVE-2009-1900",
    "CVE-2009-1901",
    "CVE-2009-2085",
    "CVE-2009-2087",
    "CVE-2009-2088",
    "CVE-2009-2089", 
    "CVE-2009-0899", 
    "CVE-2009-2090",
    "CVE-2009-2091",
    "CVE-2009-2092"
  );
  script_bugtraq_id(36153, 36154, 36155, 36156, 36157, 36158, 36163);

  script_name(english:"IBM WebSphere Application Server 7.0 < Fix Pack 5");
  script_summary(english:"Reads the version number from the SOAP port");

  script_set_attribute(attribute:"synopsis", value:
"The remote application server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"IBM WebSphere Application Server 7.0 before Fix Pack 5 appears to be
running on the remote host.  As such, it is reportedly affected by
multiple vulnerabilities :

  - Non-standard HTTP methods are allowed. (PK73246)

  - If the admin console is directly accessed from HTTP,
    the console fails to redirect the connection to a
    secure login page. (PK77010)

  - An error in Single Sign-on (SSO) with SPNEGO 
    implementation could allow a remote attacker
    to bypass security restrictions. (PK77465)

  - 'wsadmin' is affected by a security exposure. 
    (PK77495)  

  - Security flag 'isSecurityEnabled' is incorrectly set
    after migrating from VMM. (PK78134)

  - Use of insecure password obfuscation algorithm by Web
    services could result in weaker than expected security
    provided the client module specifies a password in 
    ibm-webservicesclient-bind.xmi and target environment 
    has custom password encryption enabled. (PK79275)

  - After upgrading from WebSphere Application Server V6.1 
    to V7.0 with tracing enabled, an attacker may be able
    view sensitive information by viewing the trace files.
    (PK80337)  

  - If CSIv2 Security is configured with Identity 
    Assertion, it may be possible for a remote
    attacker to bypass security restrictions. (PK83097)

  - New applications deployed in WebSphere Application 
    Server for z/OS prior to 1.8 are saved on the file
    system with insecure privileges resulting in
    disclosure of sensitive information. (PK83308)

  - Configservice APIs could display sensitive information.
    (PK84999)

  - Vulnerabilities in Apache HTTP server could allow a
    local user to gain elevated privileges. (PK86232)

  - A error in 'wsadmin' could allow a remote attacker
    to bypass security restrictions. (PK86328)
   
  - A vulnerability in portlet serving enable parameter
    could allow an attacker to bypass security restrictions
    and gain unauthorized access to the application. 
    (PK89385)");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg27014463#7005");
  script_set_attribute(attribute:"solution", value:"Apply Fix Pack 5 (7.0.0.5) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(16, 200, 255, 264, 287);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/07/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/31");
 
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("websphere_detect.nasl");
  script_require_ports("Services/www", 8880, 8881);
  script_require_keys("www/WebSphere");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8880);


version = get_kb_item("www/WebSphere/"+port+"/version");
if (isnull(version)) exit(1, "Failed to extract the version from the IBM WebSphere Application Server instance listening on port " + port + ".");
if (version =~ "^[0-9]+(\.[0-9]+)?$")
  exit(1, "Failed to extract a granular version from the IBM WebSphere Application Server instance listening on port " + port + ".");

ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

if (ver[0] == 7 && ver[1] == 0 && ver[2] == 0 && ver[3] < 5)
{
  if (report_verbosity > 0)
  {
    source = get_kb_item_or_exit("www/WebSphere/"+port+"/source");

    report = 
      '\n  Source            : ' + source + 
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 7.0.0.5' +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else exit(0, "The WebSphere Application Server "+version+" instance listening on port "+port+" is not affected.");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2009:1075 and 
# Oracle Linux Security Advisory ELSA-2009-1075 respectively.
#

include("compat.inc");

if (description)
{
  script_id(67866);
  script_version("1.9");
  script_cvs_date("Date: 2019/10/25 13:36:08");

  script_cve_id("CVE-2008-1678", "CVE-2009-1195");
  script_bugtraq_id(31692);
  script_xref(name:"RHSA", value:"2009:1075");

  script_name(english:"Oracle Linux 5 : httpd (ELSA-2009-1075)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2009:1075 :

Updated httpd packages that fix two security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the
Red Hat Security Response Team.

The Apache HTTP Server is a popular and freely-available Web server.

A flaw was found in the handling of compression structures between
mod_ssl and OpenSSL. If too many connections were opened in a short
period of time, all system memory and swap space would be consumed by
httpd, negatively impacting other processes, or causing a system
crash. (CVE-2008-1678)

Note: The CVE-2008-1678 issue did not affect Red Hat Enterprise Linux
5 prior to 5.3. The problem was introduced via the RHBA-2009:0181
errata in Red Hat Enterprise Linux 5.3, which upgraded OpenSSL to the
newer 0.9.8e version.

A flaw was found in the handling of the 'Options' and 'AllowOverride'
directives. In configurations using the 'AllowOverride' directive with
certain 'Options=' arguments, local users were not restricted from
executing commands from a Server-Side-Include script as intended.
(CVE-2009-1195)

All httpd users should upgrade to these updated packages, which
contain backported patches to resolve these issues. Users must restart
httpd for this update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2009-May/001022.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected httpd packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(16, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:httpd-manual");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mod_ssl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/05/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

flag = 0;
if (rpm_check(release:"EL5", reference:"httpd-2.2.3-22.0.1.el5_3.1")) flag++;
if (rpm_check(release:"EL5", reference:"httpd-devel-2.2.3-22.0.1.el5_3.1")) flag++;
if (rpm_check(release:"EL5", reference:"httpd-manual-2.2.3-22.0.1.el5_3.1")) flag++;
if (rpm_check(release:"EL5", reference:"mod_ssl-2.2.3-22.0.1.el5_3.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd / httpd-devel / httpd-manual / mod_ssl");
}

• name	Aharon Chernin
  organization	SCAP.com, LLC

• name	Dragos Prisaca
  organization	G2, Inc.

• comment	The operating system installed on the system is Red Hat Enterprise Linux 5
  oval	oval:org.mitre.oval:def:11414

• comment	The operating system installed on the system is CentOS Linux 5.x
  oval	oval:org.mitre.oval:def:15802

• comment	Oracle Linux 5.x
  oval	oval:org.mitre.oval:def:15459

• name	K, Balamurugan
  organization	Hewlett-Packard

• name	Sushant Kumar Singh
  organization	Hewlett-Packard

• name	Sushant Kumar Singh
  organization	Hewlett-Packard

• name	Prashant Kumar
  organization	Hewlett-Packard

• name	Mike Cokus
  organization	The MITRE Corporation

• name	J. Daniel Brown
  organization	DTCC

• name	Mike Lah
  organization	The MITRE Corporation

• name	Shane Shaffer
  organization	G2, Inc.

• name	Maria Mikhno
  organization	ALTX-SOFT