Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Stronghold Script
huberfelix at webtopia
Nov 23, 2001, 4:21 PM
Post #1 of 3 (632 views)
Permalink
Hi everybody,

not a great thing...

you can try it here:
http://www.wpi.edu/stronghold-info
http://www.wpi.edu/stronghold-status

I also attached a updated cross_site_scripting.nasl (more file extensions).


Regards,
Felix Huber


-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------

Attached Files:

Re: Stronghold Script [ In reply to ]
deraison at cvs
Nov 25, 2001, 7:09 AM
Post #2 of 3 (628 views)
Permalink
On Sat, Nov 24, 2001 at 12:21:13AM +0100, Felix Huber wrote:
>
> Hi everybody,
>
>
>
> not a great thing...
>

I modified it so that the code actually does pattern matching, which
reduce the risk of false positives against non404 servers.

Also note that '//' is not a valid comment in nasl.


This gives:


#
# This script was written by Felix Huber <huberfelix@webtopia.de>
#
# v. 1.00 (last update 23.11.01)
#
# Changes by rd: re-wrote the code to do pattern matching

if(description)
{
script_id(10803);
name["english"] = "Redhat Stronghold File System Disclosure";
script_name(english:name["english"]);

desc["english"] = "
Redhat Stronghold Secure Server File System Disclosure Vulnerability


The problem:
In Redhat Stronghold from versions 2.3 up to 3.0 a flaw exists that
allows a remote attacker to disclose sensitive system files including
the httpd.conf file, if a restricted access to the server status
report is not enabled when using those features.
This may assist an attacker in performing further attacks.

By trying the following urls, an attacker can gather sensitive
information:
http://target/stronghold-info will give information on configuration
http://target/stronghold-status will return among other information
the list of request made

Please note that this attack can be performed after a default
installation. The vulnerabiliy seems to affect all previous version
of Stonghold.

Vendor status:
Patch was released (November 19, 2001)


Risk factor : Medium";


script_description(english:desc["english"]);

summary["english"] = "Redhat Stronghold File System Disclosure";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);


script_copyright(english:"This script is Copyright (C) 2001 Felix Huber");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

#
# The script code starts here
#

port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
req = http_get(item:"/stronghold-info", port:port);
soc = open_sock_tcp(port);
if(soc)
{
send(socket:soc, data:req);
r = recv(socket:soc, length:4096);
close(soc);
if("Stronghold Server Information" >< r)security_hole(port);

soc = open_sock_tcp(port);
if(soc)
{
req = http_get(item:"/stronghold-status", port:port);
send(socket:soc, data:req);
r = recv(socket:soc, length:4096);
close(soc);
if("Stronghold Server Status for" >< r)security_hole(port);
}
}
}
Re: Stronghold Script [ In reply to ]
huberfelix at webtopia
Nov 25, 2001, 7:17 AM
Post #3 of 3 (626 views)
Permalink
> I modified it so that the code actually does pattern matching, which
> reduce the risk of false positives against non404 servers.

> Also note that '//' is not a valid comment in nasl.

ok - the strings were in javascript style comment blocks :)

regards,
felix huber

>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal