##############################################################################
#
#  SaveWebPortal menu_dx.php Multiple Vulnerabilities
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2005/08/31
#
#  $Revision: 1.1 $
#
#  $Log: os2a_saveweb_include_600181.nasl,v $
#  Revision 1.1  2005/09/01 11:15:34  bchandra
#  Issue #728 To Production
#
#  Revision 1.1  2005/08/31 06:20:43  drahul
#  issue #728
#  issue #729
#
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if (description)
{
 script_id(600181);
 script_bugtraq_id(14641, 14643);
 script_cve_id("CAN-2005-2686", "CAN-2005-2687");
 script_copyright(english:"Copyright (C) 2005 OS2A");
 script_version ("$Revision: 1.1 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses");

 script_name(english:"SaveWebPortal menu_dx.php Multiple Vulnerabilities");

 script_summary(english:"Check for File Include/Directory Traversal Vulnerability");

 desc["english"] = "
 Overview :
 SaveWebPortal 3.4 and prior is prone to multiple remote file include/
 directory traversal vulnerabilities. These issues are due to a failure
 in the application to properly sanitize user-supplied input.

 Impact:
 An attacker may leverage these issues to execute arbitrary server-side
 script code on an affected computer with the privileges of the Web server
 process. This may facilitate unauthorized access.

 Affected Platforms :
 Any system running the affected software.

 Solution :
 No vendor supplied patches are available for this issue.

 References :
 http://rgod.altervista.org/save_yourself_from_savewebportal34.html
 http://secunia.com/advisories/16522

 Risk factor : High";

 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);

 exit(0);
}


include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if(!port){
	port = 80;
}

dirs = make_list("", "/SaveWebPortal", cgi_dirs());
foreach dir (dirs)
{      
        url = string(dir, "/menu_sx.php?CONTENTS_Dir=../../../../../" +
			  "non_existant_file.php");
	sendRequest = http_get(item:url, port:port);
	receiveResponse = http_keepalive_send_recv(port:port, data:sendRequest,
						   bodyonly:1);

	if(receiveResponse == NULL){
		exit(0);
	}
  
	if("failed to open stream: No such file or directory in" ><
	   receiveResponse)
	{	
  		security_hole(port:port);
		exit(0);
	}
}