[Nikto-discuss] Newbie needs help

Thu Sep 17 22:20:47 UTC 2009

Tony,

Thanks for emailing!

The first thing I want to draw your attention to is the OSVDB entries. 

OSVDB stands for Open Source Vulnerability Database; it offers many
lists of current and past vulns.

The number that you see in Nikto's report (2799) is the unique OSVDB
vulnerability number. Go to the OSVDB website http://osvdb.org/ and type
"2799" in on the left hand side where it says OSVDB ID Lookup.

You will then arrive at the page http://osvdb.org/show/osvdb/2799 I also
recommend on clicking the security focus link within that report as they
often have PoC's of the vuln. 

For example http://www.securityfocus.com/archive/1/344032

Bug is found in this script:

DailyDose v 1.1 (by www.onlinearts.net)

The script (dose.pl) does not check the input:

$data=$ENV{'QUERY_STRING'};

($command,$list,$temp, $id) = split ("&",$data,4);

. . .

local ($template) = "$tempdir/$temp";

open(TEMPL, "$template") || print "no file found $template!";

#open without check var. $temp

Example (listing):

http://www.someserver.com/cgi-bin/dose.pl?daily&somefile.txt&|ls|

^ webserver ----------------------------^vuln
scrpt^req-----^anyfile--------^ unix command 'ls' for list directory.

If you have any further questions feel free to ask! :-)

P.S yes you are vulnerable, you should probably change the perl script
so that it validates (sanitizes) input. 

Regards,

David Klein

________________________________

From: nikto-discuss-bounces at attrition.org
[mailto:nikto-discuss-bounces at attrition.org] On Behalf Of Tony Wasson
Sent: Friday, September 18, 2009 12:47 AM
To: nikto-discuss at attrition.org
Subject: [Nikto-discuss] Newbie needs help

I'm a newbie to nikto, have ran several scans and the output has items
like the ones below,

URI

/forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22

HTTP Method

GET

Description

Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting
(XSS). CA-2000-02.

Test Links

http://"mywebsite"/forum_members.asp?find=%22;}alert('Vulnerable');funct
ion%20x(){v%20=%22
http:"mywebsiteIP"/forum_members.asp?find=%22;}alert('Vulnerable');funct
ion%20x(){v%20=%22 

OSVDB Entries

OSVDB-0 

URI

/scripts/dose.pl?daily&somefile.txt&|ls|

HTTP Method

GET

Description

DailyDose 1.1 is vulnerable to a directory traversal attack in the
'list' parameter.

Test Links

http://"mywebsite"/scripts/dose.pl?daily&somefile.txt&|ls|
http://"mywebsiteIP"/scripts/dose.pl?daily&somefile.txt&|ls| 

OSVDB Entries

OSVDB-2799 

How does one interpret this? do I have an actual vulnerability?

Notice: This email message, including any attachments, contains
information belonging to Trinity Industries, Inc. and its business
units. It has been sent solely for the use of the intended recipients
and may be confidential, proprietary, copyrighted, and legally
privileged. If you are not an intended recipient, please advise the
sender of the error and permanently delete all copies of this email,
including any copies that may reside in your deleted box. The
unauthorized review, use, disclosure, distribution, or copying of this
email or its contents is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090917/6cd0249b/attachment-0001.html 