#############################################################################
#
#  phpLDAPadmin XSS and Script Insertion Vulnerabilities
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/05/17
#
#  $Revision: 1.1 $
#
#  $Log: os2a_phpldapadmin_xss_601865.nasl,v $
#  Revision 1.1  2006/05/18 05:47:53  shraddha
#  To Production Issue #2420
#
#  Revision 1.3  2006/05/17 12:40:13  hpavithra
#  Issue: #2420
#  Minor code changes
#
#  Revision 1.2  2006/05/17 10:37:07  schandan
#  Issue #2420
#  Modified : Regex, Desc.
#
#  Revision 1.1  2006/05/17 05:59:45  hshreesha
#  issue #2420
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(601865);
 script_bugtraq_id(17643);
 script_cve_id("CVE-2006-2016");
 script_copyright(english:"Copyright (C) 2006 OS2A"); 
 script_version("$Revision: 1.1 $");
 script_category(ACT_GATHER_INFO); 
 script_family(english:"CGI abuses : XSS");
 script_name(english:"phpLDAPadmin XSS and Script Insertion Vulnerabilities");
 script_summary(english:"Check for vulnerable version of phpLDAPadmin");
 desc["english"] = "
 Overview : This host has phpLDAPadmin running which is prone to cross-site
 scripting and script insertion vulnerabilities.

 Vulnerability Insight : Inputs passed to the Container DN, Machine Name,
 and UID Number parameters in template_engine.php, compare_form.php,
 copy_form.php, rename_form.php, delete_form.php and search.php is not
 properly sanitised before being used.

 Impact : Successful exploitation can lead to execution of attacker-supplied
 script code in the context of the affected website which in-turn can lead
 to the theft of cookie-based authentication credentials.
 
 Scope of impact is limited to application/system level.
 
 Affected Software : phpLDAPadmin 0.9.8.2 and prior.

 Affected Platform : Any platform running the affected software.

 Solution : No vendor supplied patch is available as of 17th May 2006.
 Information regarding this issue will be updated once the solution
 details are available.

 References :
 http://pridels.blogspot.com/2006/04/phpldapadmin-multiple-vuln.html
 http://secunia.com/advisories/19747/

 CVSS Score :
 	CVSS Base Score     : 3.1 (AV:R/AC:L/Au:R/C:P/I:P/A:N/B:I)
 	CVSS Temporal Score : 2.8
 Risk factor : Medium";
 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}


 include("http_func.inc");
 include("http_keepalive.inc");

 port = get_http_port(default:80); 
 if(!port){
  	 exit(0);
 }

 foreach dir (make_list("/phpldapadmin", "/phpldapadmin/htdocs", cgi_dirs()))
 {
   	sndReq = http_get(item:string(dir, "/tree.php"), port:port);
	rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:1);
	if(rcvRes != NULL && "404 Not Found" >!< rcvRes &&
	   "phpLDAPadmin" >< rcvRes)
	{
		if(egrep(pattern:"phpLDAPadmin - 0\.9\.([0-8]|8\.[0-2])[^.]",
			 string:rcvRes)){
       			security_warning(port);
		}
		exit(0);
	}
 }