def _PUT(self, domain_path):
'''
Tests PUT method.
'''
# upload
url = domain_path.url_join(rand_alpha(5))
rnd_content = rand_alnum(6)
put_response = self._uri_opener.PUT(url, data=rnd_content)
# check if uploaded
res = self._uri_opener.GET(url, cache=True)
if res.get_body() == rnd_content:
msg = 'File upload with HTTP PUT method was found at resource:' \
' "%s". A test file was uploaded to: "%s".'
msg = msg % (domain_path, res.get_url())
v = Vuln('Insecure DAV configuration', msg, severity.HIGH,
[put_response.id, res.id], self.get_name())
v.set_url(url)
v.set_method('PUT')
self.kb_append(self, 'dav', v)
# Report some common errors
elif put_response.get_code() == 500:
msg = 'DAV seems to be incorrectly configured. The web server' \
' answered with a 500 error code. In most cases, this means'\
' that the DAV extension failed in some way. This error was'\
' found at: "%s".' % put_response.get_url()
i = Info('DAV incorrect configuration', msg, res.id,
self.get_name())
i.set_url(url)
i.set_method('PUT')
self.kb_append(self, 'dav', i)
# Report some common errors
elif put_response.get_code() == 403:
msg = 'DAV seems to be correctly configured and allowing you to'\
' use the PUT method but the directory does not have the'\
' correct permissions that would allow the web server to'\
' write to it. This error was found at: "%s".'
msg = msg % put_response.get_url()
i = Info('DAV incorrect configuration', msg,
[put_response.id, res.id], self.get_name())
i.set_url(url)
i.set_method('PUT')
self.kb_append(self, 'dav', i)
def _PUT(self, domain_path):
'''
Tests PUT method.
'''
# upload
url = domain_path.url_join(rand_alpha(5))
rnd_content = rand_alnum(6)
put_response = self._uri_opener.PUT(url, data=rnd_content)
# check if uploaded
res = self._uri_opener.GET(url, cache=True)
if res.get_body() == rnd_content:
msg = 'File upload with HTTP PUT method was found at resource:' \
' "%s". A test file was uploaded to: "%s".'
msg = msg % (domain_path, res.get_url())
v = Vuln('Insecure DAV configuration', msg, severity.HIGH,
[put_response.id, res.id], self.get_name())
v.set_url(url)
v.set_method('PUT')
self.kb_append(self, 'dav', v)
# Report some common errors
elif put_response.get_code() == 500:
msg = 'DAV seems to be incorrectly configured. The web server' \
' answered with a 500 error code. In most cases, this means'\
' that the DAV extension failed in some way. This error was'\
' found at: "%s".' % put_response.get_url()
i = Info('DAV incorrect configuration', msg, res.id, self.get_name())
i.set_url(url)
i.set_method('PUT')
self.kb_append(self, 'dav', i)
# Report some common errors
elif put_response.get_code() == 403:
msg = 'DAV seems to be correctly configured and allowing you to'\
' use the PUT method but the directory does not have the'\
' correct permissions that would allow the web server to'\
' write to it. This error was found at: "%s".'
msg = msg % put_response.get_url()
i = Info('DAV incorrect configuration', msg,
[put_response.id, res.id], self.get_name())
i.set_url(url)
i.set_method('PUT')
self.kb_append(self, 'dav', i)
def _analyze_crossdomain_clientaccesspolicy(self, url, response,
file_name):
try:
dom = xml.dom.minidom.parseString(response.get_body())
except Exception:
# Report this, it may be interesting for the final user
# not a vulnerability per-se... but... it's information after all
if 'allow-access-from' in response.get_body() or \
'cross-domain-policy' in response.get_body() or \
'cross-domain-access' in response.get_body():
desc = 'The "%s" file at: "%s" is not a valid XML.'
desc = desc % (file_name, response.get_url())
i = Info('Invalid RIA settings file', desc, response.id,
self.get_name())
i.set_url(response.get_url())
kb.kb.append(self, 'info', i)
om.out.information(i.get_desc())
else:
if (file_name == 'crossdomain.xml'):
url_list = dom.getElementsByTagName("allow-access-from")
attribute = 'domain'
if (file_name == 'clientaccesspolicy.xml'):
url_list = dom.getElementsByTagName("domain")
attribute = 'uri'
for url in url_list:
url = url.getAttribute(attribute)
desc = 'The "%s" file at "%s" allows flash/silverlight'\
' access from any site.'
desc = desc % (file_name, response.get_url())
if url == '*':
v = Vuln('Insecure RIA settings', desc, severity.LOW,
response.id, self.get_name())
v.set_url(response.get_url())
v.set_method('GET')
kb.kb.append(self, 'vuln', v)
om.out.vulnerability(v.get_desc(),
severity=v.get_severity())
else:
i = Info('Cross-domain allow ACL', desc, response.id,
self.get_name())
i.set_url(response.get_url())
i.set_method('GET')
kb.kb.append(self, 'info', i)
om.out.information(i.get_desc())
def _analyze_crossdomain_clientaccesspolicy(self, url, response, file_name):
try:
dom = xml.dom.minidom.parseString(response.get_body())
except Exception:
# Report this, it may be interesting for the final user
# not a vulnerability per-se... but... it's information after all
if 'allow-access-from' in response.get_body() or \
'cross-domain-policy' in response.get_body() or \
'cross-domain-access' in response.get_body():
desc = 'The "%s" file at: "%s" is not a valid XML.'
desc = desc % (file_name, response.get_url())
i = Info('Invalid RIA settings file', desc, response.id,
self.get_name())
i.set_url(response.get_url())
kb.kb.append(self, 'info', i)
om.out.information(i.get_desc())
else:
if(file_name == 'crossdomain.xml'):
url_list = dom.getElementsByTagName("allow-access-from")
attribute = 'domain'
if(file_name == 'clientaccesspolicy.xml'):
url_list = dom.getElementsByTagName("domain")
attribute = 'uri'
for url in url_list:
url = url.getAttribute(attribute)
desc = 'The "%s" file at "%s" allows flash/silverlight'\
' access from any site.'
desc = desc % (file_name, response.get_url())
if url == '*':
v = Vuln('Insecure RIA settings', desc, severity.LOW,
response.id, self.get_name())
v.set_url(response.get_url())
v.set_method('GET')
kb.kb.append(self, 'vuln', v)
om.out.vulnerability(v.get_desc(),
severity=v.get_severity())
else:
i = Info('Cross-domain allow ACL', desc,
response.id, self.get_name())
i.set_url(response.get_url())
i.set_method('GET')
kb.kb.append(self, 'info', i)
om.out.information(i.get_desc())
