blob: 5ddb16926d30f291194c3463365904e015ff6b36 [file] [log] [blame]
Richard Marian Thomaiyar14fddef2018-07-13 23:55:56 +05301From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
2From: sullo <sullo@cirt.net>
3Date: Thu, 31 May 2018 23:30:03 -0400
4Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
5 Server string & CSV output is opened in Excel or other spreadsheet app.
6 Potentially malicious cell start characters are now prefaced with a ' mark.
7 Thanks to Adam (@bytesoverbombs) for letting me know!
8
9Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
10
11CVE: CVE-2018-11652
12Upstream-Status: Backport
13Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
14---
15 plugins/nikto_outdated.plugin | 2 +-
16 plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------
17 2 files changed, 31 insertions(+), 13 deletions(-)
18
19diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin
20index 72379cc..eb1d889 100644
21--- a/plugins/nikto_outdated.plugin
22+++ b/plugins/nikto_outdated.plugin
23@@ -83,7 +83,7 @@ sub nikto_outdated {
24 $sepr = substr($sepr, (length($sepr) - 1), 1);
25
26 # break up ID string on $sepr
27- my @T = split(/$sepr/, $mark->{'banner'});
28+ my @T = split(/\\$sepr/, $mark->{'banner'});
29
30 # assume last is version...
31 for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
32diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin
33index d13acab..b942e78 100644
34--- a/plugins/nikto_report_csv.plugin
35+++ b/plugins/nikto_report_csv.plugin
36@@ -52,10 +52,12 @@ sub csv_open {
37 sub csv_host_start {
38 my ($handle, $mark) = @_;
39 $mark->{'banner'} =~ s/"/\\"/g;
40- print OUT "\"$mark->{'hostname'}\","
41- . "\"$mark->{'ip'}\","
42- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
43- . "\"$mark->{'banner'}\"\n";
44+ print $handle "\"" . csv_safecell($hostname) . "\","
45+ . "\"" . csv_safecell($mark->{'ip'}) . "\","
46+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
47+ #. "\"" . $mark->{'banner'} . "\"\n";
48+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
49+
50 return;
51 }
52
53@@ -65,26 +67,42 @@ sub csv_item {
54 my ($handle, $mark, $item) = @_;
55 foreach my $uri (split(' ', $item->{'uri'})) {
56 my $line = '';
57- $line .= "\"$item->{'mark'}->{'hostname'}\",";
58- $line .= "\"$item->{'mark'}->{'ip'}\",";
59- $line .= "\"$item->{'mark'}->{'port'}\",";
60+ $line .= "\"" . csv_safecell($hostname) . "\",";
61+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
62+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
63
64 $line .= "\"";
65 if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
66 $line .= "\",";
67
68 $line .= "\"";
69- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
70+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
71 $line .= "\",";
72
73 $line .= "\"";
74- if ($uri ne '') { $line .= $mark->{'root'} . $uri; }
75+ { $line .= csv_safecell($mark->{'root'}) . $uri; }
76+ else { $line .= csv_safecell($ur
77 $line .= "\",";
78
79- $item->{'message'} =~ s/"/\\"/g;
80- $line .= "\"$item->{'message'}\"";
81- print $handle "$line\n";
82+ my $msg = $item->{'message'};
83+ $uri=quotemeta($uri);
84+ my $root = quotemeta($mark->{'root'});
85+ $msg =~ s/^$uri:\s//;
86+ $msg =~ s/^$root$uri:\s//;
87+ $msg =~ s/"/\\"/g;
88+ $line .= "\"" . csv_safecell($msg) ."\"";
89+ print $handle "$line\n";
90+
91 }
92 }
93
94+###############################################################################
95+# prevent CSV injection attacks
96+sub csv_safecell {
97+ my $celldata = $_[0] || return;
98+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
99+ return $celldata;
100+}
101+
102+
103 1;
104--
1052.6.4
106