##############################################################################
#
#  Netscape Arbitrary Code Execution Vulnerabilities (Linux)
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/01/23
#
#  $Revision: 1.2 $
#
#  $Log: os2a_netscape_code_exec_linux_601705.nasl,v $
#  Revision 1.2  2007/02/05 09:11:25  ajagadeesh
#  --Modified Risk factor
#
#  Revision 1.1  2006/01/25 14:27:42  bchandra
#  Issue #1635 To production
#
#  Revision 1.4  2006/01/25 05:14:10  shraddha
#  Used kb to get netscape version.
#  Issue #1635
#
#  Revision 1.3  2006/01/24 14:10:27  drahul
#  Issue #1635
#  Formatting changes, removed security_note
#
#  Revision 1.2  2006/01/24 09:30:17  schandan
#  Issue #1635
#  Solution part modified.
#
#  Revision 1.1  2006/01/24 04:22:56  shraddha
#  Issue #1635
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(601705);
 script_bugtraq_id(15495, 13211);
 script_cve_id("CVE-2005-1156", "CVE-2005-1157");
 script_copyright(english:"Copyright (C) 2006 OS2A");
 script_version("$Revision: 1.2 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Gain a shell remotely");
 name["english"] = "Netscape Arbitrary Code Execution Vulnerabilities (Linux)";
 script_name(english:name["english"]);
 summary["english"] = "Check for vulnerable version of Netscape";
 script_summary(english:summary["english"]);
 desc["english"] = "
 Overview :
 This host has Netscape, a Web browser installed, which is prone to remote
 code execution vulnerability.

 The flaw exists due to a failure of the application to provide secure access
 validation. Error exists in the search plugin implementation where the action
 URL of a search plugin is not verified before being used to perform a search.
 If a user installs a search plugin from a malicious site the new search
 plugin could silently replace an existing one by choosing the same filename
 and using a long server path.

 Successful exploitation requires that the user is tricked into installing a
 search plugin with a specially crafted javascript URI.

 Impact :
 Successful exploitation leads to data stealth and/or corruption of data.

 The impact is restricted to system level.

 Affected Software : Netscape 7.2 and prior.

 Affected Platform : Linux (Any).

 Solution : No patch available as of January 24, 2006.
 Install Updated version (above 7.2) of Netscape for Linux platform
 if available :
 http://browser.netscape.com/ns8/download/default.jsp

 References :
 http://www.mikx.de/firesearching/
 http://www.mozilla.org/security/announce/mfsa2005-38.html

 CVSS Score :
 	CVSS Base Score     : 5.6 (AV:R/AC:H/Au:NR/C:P/I:P/A:P/B:N)
	CVSS Temporal Score : 4.4
 
 Risk factor : Medium";
 script_description(english:desc["english"]);
 script_dependencie("os2a_netscape_detect_linux_601707.nasl");
 script_require_keys("Netscape/Linux/Version");
 exit(0);
}


 netscape = get_kb_item("Netscape/Linux/Version");
 if(!netscape){
      exit(0);
 }

 if(ereg(pattern:"^(0\..*|1\.([0-6](\..*)?|7(\.[0-2])?))($|[^.0-9])",
 	 string:netscape))
 {
         security_warning(0);
         exit(0);
 }