Vulnerabilities > CVE-2015-1165 - Information Exposure vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
debian
fedoraproject
bestpractical
CWE-200
nessus

Summary

RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors.

Vulnerable Configurations

Part Description Count
OS
Debian
1
OS
Fedoraproject
2
Application
Bestpractical
43

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D08F6002C58811E484956805CA0B3D42.NASL
    descriptionBest Practical reports : RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT
    last seen2020-06-01
    modified2020-06-02
    plugin id81685
    published2015-03-09
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81685
    titleFreeBSD : rt -- Remote DoS, Information disclosure and Session Hijackingvulnerabilities (d08f6002-c588-11e4-8495-6805ca0b3d42)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81685);
      script_version("1.3");
      script_cvs_date("Date: 2018/11/10 11:49:44");
    
      script_cve_id("CVE-2014-9472", "CVE-2015-1165", "CVE-2015-1464");
    
      script_name(english:"FreeBSD : rt -- Remote DoS, Information disclosure and Session Hijackingvulnerabilities (d08f6002-c588-11e4-8495-6805ca0b3d42)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Best Practical reports :
    
    RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are
    vulnerable to a remote denial-of-service via the email gateway; any
    installation which accepts mail from untrusted sources is vulnerable,
    regardless of the permissions configuration inside RT. This
    denial-of-service may encompass both CPU and disk usage, depending on
    RT's logging configuration. This vulnerability is assigned
    CVE-2014-9472.
    
    RT 3.8.8 and above are vulnerable to an information disclosure attack
    which may reveal RSS feeds URLs, and thus ticket data; this
    vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be
    leveraged to perform session hijacking, allowing a user with the URL
    to log in as the user that created the feed; this vulnerability is
    assigned CVE-2015-1464."
      );
      # http://blog.bestpractical.com/2015/02/security-vulnerabilities-in-rt.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7e631423"
      );
      # https://vuxml.freebsd.org/freebsd/d08f6002-c588-11e4-8495-6805ca0b3d42.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a1a0b31b"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:rt40");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:rt42");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"rt42>=4.2.0<4.2.10")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"rt40>=4.0.0<4.0.23")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idRT_4_2_10.NASL
    descriptionAccording to its self-reported version number, the Best Practical Solutions Request Tracker (RT) running on the remote web server is version 4.0.x prior to 4.0.23 or version 4.2.x prior to 4.2.10. It is, therefore, potentially affected by the following vulnerabilities : - A flaw exists in the email gateway that allows remote attackers to cause a denial of service via a specially crafted email. (CVE-2014-9472) - A flaw exists that allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. (CVE-2015-1165) - A flaw exists in how RSS feed URLs are handled that could allow a remote attacker to log in as the user who created the feed. (CVE-2015-1464) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id83140
    published2015-04-29
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83140
    titleRequest Tracker 4.0.x < 4.0.23 / 4.2.x < 4.2.10 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(83140);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id("CVE-2014-9472", "CVE-2015-1165", "CVE-2015-1464");
      script_bugtraq_id(72832, 72833, 72837);
    
      script_name(english:"Request Tracker 4.0.x < 4.0.23 / 4.2.x < 4.2.10 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of Request Tracker.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is running a Perl application that is affected
    by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Best Practical
    Solutions Request Tracker (RT) running on the remote web server is
    version 4.0.x prior to 4.0.23 or version 4.2.x prior to 4.2.10. It is,
    therefore, potentially affected by the following vulnerabilities :
    
      - A flaw exists in the email gateway that allows remote
        attackers to cause a denial of service via a specially
        crafted email. (CVE-2014-9472)
        
      - A flaw exists that allows remote attackers to obtain
        sensitive RSS feed URLs and ticket data via unspecified
        vectors. (CVE-2015-1165)
        
      - A flaw exists in how RSS feed URLs are handled that could
        allow a remote attacker to log in as the user who created
        the feed. (CVE-2015-1464)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://docs.bestpractical.com/release-notes/rt/4.2.10");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Request Tracker 4.0.23 / 4.2.10 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1464");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/02/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/29");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:bestpractical:rt");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("rt_detect.nasl");
      script_require_keys("installed_sw/RT", "Settings/ParanoidReport");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    appname = "RT";
    get_install_count(app_name:appname, exit_if_zero:TRUE);
    
    port = get_http_port(default:80);
    
    install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    version = install['version'];
    path    = install['path'];
    install_url = build_url(port:port, qs:path + "/");
    
    if (version =~ "^4\.0\.") fix = '4.0.23';
    else if (version =~ "^4\.2\.") fix = '4.2.10';
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, version);
    
    ver = split(version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(ver); i++)
        ver[i] = int(ver[i]);
    
    if (
      (ver[0] == 4 && ver[1] == 0 &&
        (ver[2] < 23) ||
         ver[2] == 23 && version =~ "(rc|pre|alpha|RC|test|CH|beta|preflight)") ||
      (ver[0] == 4 && ver[1] == 2 &&
        (ver[2] < 10) ||
         ver[2] == 10 && version =~ "(rc|pre|alpha|RC|test|CH|beta|preflight)")
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  URL               : ' + install_url +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix +
          '\n';
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, version);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-158.NASL
    descriptionMultiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2014-9472 Christian Loos discovered a remote denial of service vulnerability, exploitable via the email gateway and affecting any installation which accepts mail from untrusted sources. Depending on RT
    last seen2020-03-17
    modified2015-03-26
    plugin id82141
    published2015-03-26
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82141
    titleDebian DLA-158-1 : request-tracker3.8 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-158-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82141);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-9472", "CVE-2015-1165", "CVE-2015-1464");
      script_bugtraq_id(72832, 72833, 72837);
    
      script_name(english:"Debian DLA-158-1 : request-tracker3.8 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been discovered in Request Tracker, an
    extensible trouble-ticket tracking system. The Common Vulnerabilities
    and Exposures project identifies the following problems :
    
    CVE-2014-9472
    
    Christian Loos discovered a remote denial of service vulnerability,
    exploitable via the email gateway and affecting any installation which
    accepts mail from untrusted sources. Depending on RT's logging
    configuration, a remote attacker can take advantage of this flaw to
    cause CPU and excessive disk usage.
    
    CVE-2015-1165
    
    Christian Loos discovered an information disclosure flaw which may
    reveal RSS feeds URLs, and thus ticket data.
    
    CVE-2015-1464
    
    It was discovered that RSS feed URLs can be leveraged to perform
    session hijacking, allowing a user with the URL to log in as the user
    that created the feed.
    
    For the oldstable distribution (squeeze), these problems have been
    fixed in version 3.8.8-7+squeeze9.
    
    We recommend that you upgrade your request-tracker3.8 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2015/02/msg00012.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze-lts/request-tracker3.8"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:request-tracker3.8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rt3.8-apache2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rt3.8-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rt3.8-db-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rt3.8-db-postgresql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rt3.8-db-sqlite");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/02/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"request-tracker3.8", reference:"3.8.8-7+squeeze8")) flag++;
    if (deb_check(release:"6.0", prefix:"rt3.8-apache2", reference:"3.8.8-7+squeeze8")) flag++;
    if (deb_check(release:"6.0", prefix:"rt3.8-clients", reference:"3.8.8-7+squeeze8")) flag++;
    if (deb_check(release:"6.0", prefix:"rt3.8-db-mysql", reference:"3.8.8-7+squeeze8")) flag++;
    if (deb_check(release:"6.0", prefix:"rt3.8-db-postgresql", reference:"3.8.8-7+squeeze8")) flag++;
    if (deb_check(release:"6.0", prefix:"rt3.8-db-sqlite", reference:"3.8.8-7+squeeze8")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4666.NASL
    descriptionSecurity fix for CVE-2014-9472 Security fix for CVE-2015-1165 Security fix for CVE-2015-1464 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-04-07
    plugin id82606
    published2015-04-07
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82606
    titleFedora 21 : rt-4.2.10-2.fc21 (2015-4666)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-4666.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82606);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-9472", "CVE-2015-1165", "CVE-2015-1464");
      script_xref(name:"FEDORA", value:"2015-4666");
    
      script_name(english:"Fedora 21 : rt-4.2.10-2.fc21 (2015-4666)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2014-9472 Security fix for CVE-2015-1165 Security
    fix for CVE-2015-1464
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1200059"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1200065"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1200069"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154213.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?dcea9ba9"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected rt package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rt");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC21", reference:"rt-4.2.10-2.fc21")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rt");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4698.NASL
    descriptionSecurity fix for CVE-2014-9472 Security fix for CVE-2015-1165 Security fix for CVE-2015-1464 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-04-03
    plugin id82553
    published2015-04-03
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82553
    titleFedora 22 : rt-4.2.10-2.fc22 (2015-4698)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-4698.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82553);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-9472", "CVE-2015-1165", "CVE-2015-1464");
      script_xref(name:"FEDORA", value:"2015-4698");
    
      script_name(english:"Fedora 22 : rt-4.2.10-2.fc22 (2015-4698)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2014-9472 Security fix for CVE-2015-1165 Security
    fix for CVE-2015-1464
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1200059"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1200065"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1200069"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-March/154047.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7d1e959a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected rt package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rt");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC22", reference:"rt-4.2.10-2.fc22")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rt");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3176.NASL
    descriptionMultiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-9472 Christian Loos discovered a remote denial of service vulnerability, exploitable via the email gateway and affecting any installation which accepts mail from untrusted sources. Depending on RT
    last seen2020-03-17
    modified2015-02-27
    plugin id81556
    published2015-02-27
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81556
    titleDebian DSA-3176-1 : request-tracker4 - security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3176. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81556);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-9472", "CVE-2015-1165", "CVE-2015-1464");
      script_xref(name:"DSA", value:"3176");
    
      script_name(english:"Debian DSA-3176-1 : request-tracker4 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been discovered in Request Tracker, an
    extensible trouble-ticket tracking system. The Common Vulnerabilities
    and Exposures project identifies the following problems :
    
      - CVE-2014-9472
        Christian Loos discovered a remote denial of service
        vulnerability, exploitable via the email gateway and
        affecting any installation which accepts mail from
        untrusted sources. Depending on RT's logging
        configuration, a remote attacker can take advantage of
        this flaw to cause CPU and excessive disk usage.
    
      - CVE-2015-1165
        Christian Loos discovered an information disclosure flaw
        which may reveal RSS feeds URLs, and thus ticket data.
    
      - CVE-2015-1464
        It was discovered that RSS feed URLs can be leveraged to
        perform session hijacking, allowing a user with the URL
        to log in as the user that created the feed."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2014-9472"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2015-1165"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2015-1464"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/request-tracker4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2015/dsa-3176"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the request-tracker4 packages.
    
    For the stable distribution (wheezy), these problems have been fixed
    in version 4.0.7-5+deb7u3."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:request-tracker4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/02/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"request-tracker4", reference:"4.0.7-5+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"rt4-apache2", reference:"4.0.7-5+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"rt4-clients", reference:"4.0.7-5+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"rt4-db-mysql", reference:"4.0.7-5+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"rt4-db-postgresql", reference:"4.0.7-5+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"rt4-db-sqlite", reference:"4.0.7-5+deb7u3")) flag++;
    if (deb_check(release:"7.0", prefix:"rt4-fcgi", reference:"4.0.7-5+deb7u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");