Mailing List Archive

Hi Chris,

better use a loop - updated version is attached

Had no time to test, but it should work (tm) ...

Regards,
Felix Huber


-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
----- Original Message -----
From: "sq" <sq@cirt.net>
To: <plugins-writers@list.nessus.org>
Sent: Tuesday, November 13, 2001 11:39 PM
Subject: Allaire JRUN Cross Site Scripting Check


> Attached is a quick hack up SecuriTeam's 40x Cross Site Scripting NASL
(without their permission, I hope they're okay with that for a NASL-newbie).
This one specifically checks for the Allaire JRUN CSS problem (the scripts
require a .jsp, .shtml or .thtml extension tacked on to the end of the
request).
>
> It is working in my tests, but I'm wondering if there's a better way to
handle the three requests (.jsp, .shtml and .thtml) in some sort of loop (or
even just adding it easily to the original SecuriTeam NASL)? In my testing
I found that one may work and one may not (I assume it depends on the config
options of JRUN, but I don't have access to admin the systems), so all three
should be tested to be sure.
>
> Also, if someone has a 2.3.x JRUN installation to test against...
>
> Comments/help appreciated.
>
> Thanks
> Chris
>
>

Hi,

There is no problem :}
That is why we post them.

Thanks
Noam Rathaus
http://www.SecurITeam.com
http://www.BeyondSecurity.com

----- Original Message -----
From: "sq" <sq@cirt.net>
To: <plugins-writers@list.nessus.org>
Sent: Wednesday, November 14, 2001 00:39
Subject: Allaire JRUN Cross Site Scripting Check


> Attached is a quick hack up SecuriTeam's 40x Cross Site Scripting NASL
(without their permission, I hope they're okay with that for a NASL-newbie).
This one specifically checks for the Allaire JRUN CSS problem (the scripts
require a .jsp, .shtml or .thtml extension tacked on to the end of the request).
>
> It is working in my tests, but I'm wondering if there's a better way to handle
the three requests (.jsp, .shtml and .thtml) in some sort of loop (or even just
adding it easily to the original SecuriTeam NASL)? In my testing I found that
one may work and one may not (I assume it depends on the config options of JRUN,
but I don't have access to admin the systems), so all three should be tested to
be sure.
>
> Also, if someone has a 2.3.x JRUN installation to test against...
>
> Comments/help appreciated.
>
> Thanks
> Chris
>
>

Thanks in large part to Felix Huber showing me how to write a "for" loop
in nasl <g>, this check seems to be working great. I still don't have
an Allaire JRUN 2.x installation to test against, so if someone does,
please try.

Now what happens with the plugin? Sorry, I'm new to the nasl dev side.

Regards,
Chris Sullo

Hi,

Just one thing, this plugin will detect an .SHTML based CSS, while the original
one will also detect such vulnerability. This would cause a duplicate
true?/false? positive.

Maybe it is worth checking for an Allaris server signature?

Thanks
Noam Rathaus
http://www.SecurITeam.com
http://www.BeyondSecurity.com

----- Original Message -----
From: "sq" <sq@cirt.net>
To: <plugins-writers@list.nessus.org>
Sent: Wednesday, November 14, 2001 18:03
Subject: Re: Allaire JRUN Cross Site Scripting Check


> Thanks in large part to Felix Huber showing me how to write a "for" loop
> in nasl <g>, this check seems to be working great. I still don't have
> an Allaire JRUN 2.x installation to test against, so if someone does,
> please try.
>
> Now what happens with the plugin? Sorry, I'm new to the nasl dev side.
>
> Regards,
> Chris Sullo
>
>
>

Hi,

You are right I was confused with that of:
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/iis_s
html_cross_site.nasl?sortby=date

I am not sure it is worth combining, but rather stating that other systems
(OSes/Servers) are vulnerable, beside JRUN, i.e. making this a generic problem
finder, and not JRUN specific.

Thanks
Noam Rathaus
http://www.SecurITeam.com
http://www.BeyondSecurity.com

----- Original Message -----
From: "sq" <sq@cirt.net>
To: "Noam Rathaus" <noamr@beyondsecurity.com>
Sent: Thursday, November 15, 2001 17:03
Subject: Re: Allaire JRUN Cross Site Scripting Check


> I guess I don't understand how the first finds a .shtml, as I only see it
request a document that ends in the /SCRIPT tag with no file
> extension. But yes, if the first finds it also then it would be a duplicate.
>
> Perhaps a better approach would be to use a loop in just one plugin to check
for no extension, .jsp, .shtml, .thtml (others?), and report
> the full list of links for the web servers, JRUN, etc.? I can see how that
would be more efficient for the test as a whole.
>
> I don't know of any JRUN signatures, as the cases I'm testing against only
respond as a Netscape Enterprise and don't give any hint of
> the JRUN install.
>
> I'll take a stab at combining the two to see how it goes. If you have a better
idea, please let me know. I appreciate your help/guidance.
>
> Regards,
> Chris
>
>
> > Hi,
> >
> > Just one thing, this plugin will detect an .SHTML based CSS, while the
original
> > one will also detect such vulnerability. This would cause a duplicate
> > true?/false? positive.
> >
> > Maybe it is worth checking for an Allaris server signature?
> >
> > Thanks
> > Noam Rathaus
> > http://www.SecurITeam.com
> > http://www.BeyondSecurity.com
> >
> > ----- Original Message -----
> > From: "sq" <sq@cirt.net>
> > To: <plugins-writers@list.nessus.org>
> > Sent: Wednesday, November 14, 2001 18:03
> > Subject: Re: Allaire JRUN Cross Site Scripting Check
> >
> >
> > > Thanks in large part to Felix Huber showing me how to write a "for" loop
> > > in nasl <g>, this check seems to be working great. I still don't have
> > > an Allaire JRUN 2.x installation to test against, so if someone does,
> > > please try.
> > >
> > > Now what happens with the plugin? Sorry, I'm new to the nasl dev side.
> > >
> > > Regards,
> > > Chris Sullo
>

Okay, try again...

This makes the cross site checking more generic, so that it checks for
extensions of ".shtml", ".thtml", ".jsp" and "". This essentially
makes obsolete the 40x_cross_site.nasl (checks just no extension), and
iis_shtml_cross_site.nasl which checks just the ".shtml" extension.
Also makes it easy to add any more that come up.

This cuts the plugins down to having just one generic CSS check (I did
not think it beneficial to combine the CGIEmail check as that is
CGI/directory specific), rather than two very specific ones. It should
also catch more (i.e., Jrun).

Regards
Chris


> Hi,
>
> You are right I was confused with that of:
>
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/iis_s
> html_cross_site.nasl?sortby=date
>
> I am not sure it is worth combining, but rather stating that other
systems
> (OSes/Servers) are vulnerable, beside JRUN, i.e. making this a generic
problem
> finder, and not JRUN specific.
>
> Thanks
> Noam Rathaus
> http://www.SecurITeam.com
> http://www.BeyondSecurity.com
>
> ----- Original Message -----
> From: "sq" <sq@cirt.net>
> To: "Noam Rathaus" <noamr@beyondsecurity.com>
> Sent: Thursday, November 15, 2001 17:03
> Subject: Re: Allaire JRUN Cross Site Scripting Check
>
>
> > I guess I don't understand how the first finds a .shtml, as I only
see it
> request a document that ends in the /SCRIPT tag with no file
> > extension. But yes, if the first finds it also then it would be a
duplicate.
> >
> > Perhaps a better approach would be to use a loop in just one plugin
to check
> for no extension, .jsp, .shtml, .thtml (others?), and report
> > the full list of links for the web servers, JRUN, etc.? I can see
how that
> would be more efficient for the test as a whole.
> >
> > I don't know of any JRUN signatures, as the cases I'm testing
against only
> respond as a Netscape Enterprise and don't give any hint of
> > the JRUN install.
> >
> > I'll take a stab at combining the two to see how it goes. If you
have a better
> idea, please let me know. I appreciate your help/guidance.
> >
> > Regards,
> > Chris
> >
> >
> > > Hi,
> > >
> > > Just one thing, this plugin will detect an .SHTML based CSS, while
the
> original
> > > one will also detect such vulnerability. This would cause a
duplicate
> > > true?/false? positive.
> > >
> > > Maybe it is worth checking for an Allaris server signature?
> > >
> > > Thanks
> > > Noam Rathaus
> > > http://www.SecurITeam.com
> > > http://www.BeyondSecurity.com
> > >
> > > ----- Original Message -----
> > > From: "sq" <sq@cirt.net>
> > > To: <plugins-writers@list.nessus.org>
> > > Sent: Wednesday, November 14, 2001 18:03
> > > Subject: Re: Allaire JRUN Cross Site Scripting Check
> > >
> > >
> > > > Thanks in large part to Felix Huber showing me how to write a
"for" loop
> > > > in nasl <g>, this check seems to be working great. I still
don't have
> > > > an Allaire JRUN 2.x installation to test against, so if someone
does,
> > > > please try.
> > > >
> > > > Now what happens with the plugin? Sorry, I'm new to the nasl dev
side.
> > > >
> > > > Regards,
> > > > Chris Sullo
> >
>
>
>

__________________________
http://www.cirt.net/