#############################################################################
#
#  MyBulletinBoard Generic_Error.PHP Cross-Site Scripting Vulnerabilities
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/09/21
#
#  $Revision: 1.1 $
#
#  $Log: os2a_mybb_fullpath_multiple_xss_609083.nasl,v $
#  Revision 1.1  2006/09/22 09:03:43  hpavithra
#  To production
#
#  Revision 1.1  2006/09/21 09:48:07  gnagendra
#  Issue: #3035
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(609083);
 script_bugtraq_id(20079);
 script_copyright(english:"Copyright (C) 2006 OS2A"); 
 script_version("$Revision: 1.1 $");
 script_category(ACT_ATTACK); 
 script_family(english:"CGI abuses : XSS");
 script_name(english:"MyBulletinBoard Generic_Error.PHP Cross-Site Scripting Vulnerabilities");
 script_summary(english:"Check for cross-site scripting vulnerability in MyBulletinBoard");
 desc["english"] = "
 Overview : This host has MyBulletinBoard installed, which is prone to
 cross-site scripting vulnerability.

 Input passed to navbits[][name] parameter in index.php and to the message and
 code parameter in inc/generic_error.php is not properly sanitised before being
 returned to the user.

 Exploitation requires register_globals to be enabled.

 Impact : Successful exploitation leads to arbitrary HTML and script code
 execution and to disclose the full path to various scripts by accessing them 
 directly.
 
 Scope of impact is restricted to application level.

 Affected Software : MyBulletinBoard version 1.2 and prior.

 Affected Platform : Any system running the affected software.
 
 Solution : No vendor supplied patch is available as on September 21, 2006.
 Information regarding this issue will be updated once the solution details
 are available.
 http://www.mybboard.com/downloads.php

 References : http://secunia.com/advisories/21972/
	      http://www.security.nnov.ru/Odocument332.html
 
 CVSS Score : 
        CVSS Base Score     : 5.2 (AV:R/AC:L/Au:NR/C:P/I:P/A:N/B:I)
        CVSS Temporal Score : 4.7
 Risk factor : Medium";
 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}


 include("http_func.inc");
 include("http_keepalive.inc");

 port = get_http_port(default:80);
 if(!port){
         exit(0);
 }

 foreach path (make_list("/mybb", cgi_dirs()))
 {
	sndReq = http_get(item:string(path, "/admin/index.php"), port:port);
 	rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:1);
        if(rcvRes == NULL){
 		exit(0);
 	}
 	
	if("MyBB Group" >< rcvRes)
 	{
		sndReq = http_get(item:string(path, "/inc/generic_error.php?",
					      "message=%3Cscript%3Ealert",
					      "(document.cookie);%3C/script",
					      "%3E"), port:port);
	        rcvRes = http_keepalive_send_recv(port:port, data:sndReq,
						  bodyonly:1);		
		if(rcvRes == NULL){
                	exit(0);
        	}
		
		if("<script>alert(document.cookie);</script>" >< rcvRes){
 			security_warning(port);
		}
                exit(0);
	}
 }