##############################################################################
#
#  Chipmunk Directory 'entryID' Cross-Site Scripting Vulnerability 
#
#  Copyright: OS2A and it's member companies
#
#  Date Written:2005/11/16
#
#  $Revision: 1.2 $
#
#  $Log: os2a_chipmunk_directory_xss_600653.nasl,v $
#  Revision 1.2  2006/03/29 06:44:38  hpavithra
#  Updated solution info
#
#  Revision 1.1  2005/11/17 11:43:09  bchandra
#  Issue #1225 To production
#
#  Revision 1.3  2005/11/16 12:00:21  nrnandini
#  issue #1225
#  Added commonly used directories to cgi directories.
#  /dir and /directory
#
#  Revision 1.2  2005/11/16 09:57:48  drahul
#  issue #1225
#  Modified description
#
#  Revision 1.1  2005/11/16 09:46:20  drahul
#  issue #1225
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if (description)
{
 script_id(600653);
 script_bugtraq_id(15149);
 script_cve_id("CVE-2005-3516");
 script_copyright(english:"Copyright (C) 2005 OS2A");
 script_version ("$Revision: 1.2 $");
 script_category(ACT_ATTACK);
 script_family(english:"CGI abuses : XSS");
 script_name(english:"Chipmunk Directory 'entryID' Cross-Site Scripting Vulnerability");
 script_summary(english:"Check for XSS vulnerability in Chipmunk Directory");
 desc["english"] = "
 Overview :
 Chipmunk Directory versions 2.0 and prior are prone to cross-site Scripting
 vulnerability. Input passed to the ID parameter in recommend.php is not
 properly sanitized before being returned to the user.

 Impact :
 This can be exploited to execute arbitrary HTML and script code in a user's
 browser session in context of a affected site.
  
 Affected Software:
 Chipmunk Directory 2.0 and prior.

 Affected Platforms :
 Any system running the affected software.

 Solution :
 No vendor-supplied patches are available for this issue.

 References :
 http://secunia.com/advisories/17283/
 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3516

 CVSS Temporal Score : 4.4
 
 Risk factor : Medium";
 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}


include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if(!port){
	exit(0);
}

dirs = make_list("/dir", "/directory", cgi_dirs());
foreach dir (dirs)
{      
	url = string(dir, "/index.php");

        sendRequest = http_get(item:url, port:port);
        receiveResponse = http_keepalive_send_recv(port:port, data:sendRequest,
                                                   bodyonly:1);

        if(receiveResponse == NULL){
                exit(0);
        }

        if(egrep(pattern:"Powered by.+Chipmunk Directory</a>",
                 string:receiveResponse))
	{

                url = string(dir, "/recommend.php?entryID='%3C/a%3E%3CIFRAME" +
                                  "%20SRC=javascript:alert(%2527OS2A%2527)" +
				  "%3E%3C/IFRAME%3E");
	        sendRequest = http_get(item:url, port:port);
	        receiveResponse = http_keepalive_send_recv(port:port,
							   data:sendRequest,
	                                                   bodyonly:1);
                
        	if(receiveResponse == NULL){
                	exit(0);
        	}

		if("javascript:alert(%27OS2A%27)" >< receiveResponse)
		{
  			security_warning(port);
			exit(0);
	  	}
	}
}