local http = require "http" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local vulns = require "vulns" description = [[ Tests for the CVE-2014-2302 vulnerability in webEdition CMS, which allows an attacker not to gain remote command execution. In particular, when using webEdition OnlineInstaller 2.8.0.0, the installation script is not deleted automatically at the end of the installation, even though it contains code to delete itself. While an attacker who finds this script could just destructively reinstall webEdition, it is also possible to use it to gain command execution unnoticed on an existing webEdition installation. References: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004 ]] --- -- @usage -- nmap -sV --script http-vuln-cve2014-3445 -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-vuln-cve2014-2302.nse: -- | VULNERABLE: -- | Remote Command Execution in webEdition CMS Installer Script -- | State: VULNERABLE -- | Description: -- | When using webEdition OnlineInstaller 2.8.0.0, the installation -- | script is not deleted automatically at the end of the installation, -- | even though it contains code to delete itself. While an attacker -- | who finds this script could just destructively reinstall webEdition, -- | it is also possible to use it to gain command execution unnoticed -- | on an existing webEdition installation. -- | -- | Affected versions: v2.8.0.0 -- | Disclosure date: 29-05-2014 -- | References: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004 -- |_ -- --- author = "Claudiu Perta " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"exploit","vuln","intrusive"} portrule = shortport.http action = function(host, port) local vuln = { title = 'Remote Command Execution in webEdition CMS Installer Script', IDS = { CVE='CVE-2014-2302'}, state = vulns.STATE.NOT_VULN, -- default description = [[ When using webEdition OnlineInstaller 2.8.0.0, the installation script is not deleted automatically at the end of the installation even though it contains code to delete itself. While an attacker who finds this script could just destructively reinstall webEdition, it is also possible to use it to gain command execution unnoticed on an existing webEdition installation. Affected versions: v2.8.0.0. Vulnerability discovered by RedTeam Pentesting GmbH. ]], references = { 'https://www.redteam-pentesting.de/advisories/rt-sa-2014-004', }, dates = { disclosure = {year = '2014', month = '05', day = '29'}, }, } local report = vulns.Report:new(SCRIPT_NAME, host, port) local uri = "/OnlineInstaller/setup.php" local response = http.get(host, port, uri) if response then local match = response.body:match( "webEdition Online Installer") if match == nil then stdnse.print_debug(1, "%s: No match", SCRIPT_NAME) else vuln.state = vulns.STATE.EXPLOIT end end return report:make_output(vuln) end