##############################################################################
#
#  Runcms / exoops Arbitrary File Upload Vulnerability
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2005/09/02
#
#  $Revision: 1.1 $
#
#  $Log: os2a_runcms_avatar_600183.nasl,v $
#  Revision 1.1  2005/09/13 11:20:31  bchandra
#  Issue #739 To Production
#
#  Revision 1.4  2005/09/09 10:31:35  drahul
#  issue #739
#  Code formatted.
#
#  Revision 1.3  2005/09/02 08:13:53  drahul
#  issue #739
#
#  Revision 1.2  2005/09/02 06:56:04  drahul
#  issue #739
#  Modified regular expression.
#
#
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if (description)
{
 script_id(600183);
 script_bugtraq_id(13027);
 script_cve_id("CAN-2005-1031");
 script_copyright(english:"Copyright (C) 2005 OS2A");
 script_version ("$Revision: 1.1 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");

 script_name(english:"Runcms / exoops Arbitrary File Upload Vulnerability");

 script_summary(english:"Check for vulnerable version of RUNCMS/exoops");

 desc["english"] = "
 Overview :
 RunCMS 1.1A, exoops 1.05 Rev3 and prior are prone to a remote arbitrary file
 upload vulnerability. The issue exists due to a lack of sanitization performed
 on image files that are uploaded using custom avatar upload functionality.

 Impact:
 If 'Allow customer avatar' upload option is enabled, a remote attacker could
 exploit this vulnerability to upload arbitrary files. This issue can
 ultimately facilitate unauthorized access in the context of the Web server.

 Affected Platforms :
 Any system running the affected software.

 Solution :
 Apply the following patch.
 http://www.runcms.org/public/modules/mydownloads/singlefile.php?lid=219

 References :
 http://www.securityfocus.com/bid/13027/

 Risk factor : High";

 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);

 exit(0);
}


include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if(!port){
	port = 80;
}

dirs = make_list("", "/runcms", "/exoops", cgi_dirs());
foreach dir (dirs)
{      
        url = string(dir, "/modules/news/index.php");
	sendRequest = http_get(item:url, port:port);
	receiveResponse = http_keepalive_send_recv(port:port, data:sendRequest,
						   bodyonly:1);

	if(receiveResponse == NULL){
		exit(0);
	}

  	 #Check for RUNCMS <= 1.1A or exoops <= 1.05 rev3
	 if ((egrep(pattern:"RUNCMS.*(0\.+|1\.(0.*|1A?))",
		    string:receiveResponse) &&
	      "<a href='http://www.runcms.org/'" >< receiveResponse) ||
	      egrep(pattern:"Powered by.*(exoops|E-Xoops).*(0\.+|1\.0([0-4].*|5.(.*<|Rev[1-3])))",
		   string:receiveResponse)) 
	{	
  		security_hole(port:port);
		exit(0);
	}
}