From 77ebd9d4fd0ce463bfca4a770e0d51b86873fb6a Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 6 May 2013 22:33:18 +0200 Subject: [PATCH 01/10] Fixed Version compare for issue #179 --- data/plugin_vulns.xml | 1 + data/vuln.xsd | 1 + lib/common/models/vulnerability.rb | 15 +++++++++++---- lib/common/models/wp_item/vulnerable.rb | 13 ++++++++++++- lib/common/version_compare.rb | 7 +++++++ 5 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 lib/common/version_compare.rb diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 3f6a260b..de0eb80a 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -3144,6 +3144,7 @@ http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html exploits/unix/webapp/php_wordpress_total_cache RCE + 0.9.2.9 diff --git a/data/vuln.xsd b/data/vuln.xsd index a2c286bf..a11e3910 100644 --- a/data/vuln.xsd +++ b/data/vuln.xsd @@ -51,6 +51,7 @@ + diff --git a/lib/common/models/vulnerability.rb b/lib/common/models/vulnerability.rb index e4b89ae2..83b15733 100755 --- a/lib/common/models/vulnerability.rb +++ b/lib/common/models/vulnerability.rb @@ -5,20 +5,22 @@ require 'vulnerability/output' class Vulnerability include Vulnerability::Output - attr_accessor :title, :references, :type, :metasploit_modules + attr_accessor :title, :references, :type, :fixed_in, :metasploit_modules # # @param [ String ] title The title of the vulnerability # @param [ String ] type The type of the vulnerability # @param [ Array ] references References urls # @param [ Array ] metasploit_modules Metasploit modules for the vulnerability + # @param [ String ] fixed_in Vuln fixed in Version X # # @return [ Vulnerability ] - def initialize(title, type, references, metasploit_modules = []) + def initialize(title, type, references, metasploit_modules = [], fixed_in) @title = title @type = type @references = references @metasploit_modules = metasploit_modules + @fixed_in = fixed_in end # @param [ Vulnerability ] other @@ -26,7 +28,11 @@ class Vulnerability # @return [ Boolean ] # :nocov: def ==(other) - title == other.title && type == other.type && references == other.references + title == other.title && + type == other.type && + references == other.references && + fixed_in == other.fixed_in && + metasploit_modules == other.metasploit_modules end # :nocov: @@ -40,7 +46,8 @@ class Vulnerability xml_node.search('title').text, xml_node.search('type').text, xml_node.search('reference').map(&:text), - xml_node.search('metasploit').map(&:text) + xml_node.search('metasploit').map(&:text), + xml_node.search('fixed_in').text ) end diff --git a/lib/common/models/wp_item/vulnerable.rb b/lib/common/models/wp_item/vulnerable.rb index d814c9ba..c1405768 100755 --- a/lib/common/models/wp_item/vulnerable.rb +++ b/lib/common/models/wp_item/vulnerable.rb @@ -12,7 +12,18 @@ class WpItem vulnerabilities = Vulnerabilities.new xml.xpath(vulns_xpath).each do |node| - vulnerabilities << Vulnerability.load_from_xml_node(node) + vuln = Vulnerability.load_from_xml_node(node) + if vuln + if version && vuln.fixed_in && !vuln.fixed_in.empty? + if VersionCompare::is_newer_or_same?(vuln.fixed_in, version) + # "Hooray, fixed" + else + vulnerabilities << vuln + end + else + vulnerabilities << vuln + end + end end vulnerabilities end diff --git a/lib/common/version_compare.rb b/lib/common/version_compare.rb new file mode 100644 index 00000000..aa4e9e28 --- /dev/null +++ b/lib/common/version_compare.rb @@ -0,0 +1,7 @@ +# encoding: UTF-8 + +class VersionCompare + def self.is_newer_or_same?(version1, version2) + (version1 == version2) || (Gem::Version.new(version1) < Gem::Version.new(version2)) + end +end \ No newline at end of file From 9c0ce2a1cdc2a029e940a5a89a411e16011d4a29 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 6 May 2013 22:47:20 +0200 Subject: [PATCH 02/10] fix rspecs #179 --- lib/common/models/vulnerability.rb | 2 +- spec/shared_examples/wp_item_vulnerable.rb | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/common/models/vulnerability.rb b/lib/common/models/vulnerability.rb index 83b15733..1fb412a7 100755 --- a/lib/common/models/vulnerability.rb +++ b/lib/common/models/vulnerability.rb @@ -15,7 +15,7 @@ class Vulnerability # @param [ String ] fixed_in Vuln fixed in Version X # # @return [ Vulnerability ] - def initialize(title, type, references, metasploit_modules = [], fixed_in) + def initialize(title, type, references, metasploit_modules = [], fixed_in = '') @title = title @type = type @references = references diff --git a/spec/shared_examples/wp_item_vulnerable.rb b/spec/shared_examples/wp_item_vulnerable.rb index 0dbf17f8..0fb31b98 100644 --- a/spec/shared_examples/wp_item_vulnerable.rb +++ b/spec/shared_examples/wp_item_vulnerable.rb @@ -12,6 +12,10 @@ shared_examples 'WpItem::Vulnerable' do describe '#vulnerabilities' do let(:empty_file) { MODELS_FIXTURES + '/wp_item/vulnerable/empty.xml' } + before do + stub_request(:get, /.*/) + end + after do subject.vulns_file = @vulns_file subject.vulns_xpath = vulns_xpath if defined?(vulns_xpath) From 4ce6396e3f63b77093cab83e0fe2e6fd2a001c3c Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 6 May 2013 23:30:47 +0200 Subject: [PATCH 03/10] removed debug output #179 --- lib/common/models/wp_item/vulnerable.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/common/models/wp_item/vulnerable.rb b/lib/common/models/wp_item/vulnerable.rb index c1405768..b13c1dfc 100755 --- a/lib/common/models/wp_item/vulnerable.rb +++ b/lib/common/models/wp_item/vulnerable.rb @@ -15,9 +15,7 @@ class WpItem vuln = Vulnerability.load_from_xml_node(node) if vuln if version && vuln.fixed_in && !vuln.fixed_in.empty? - if VersionCompare::is_newer_or_same?(vuln.fixed_in, version) - # "Hooray, fixed" - else + unless VersionCompare::is_newer_or_same?(vuln.fixed_in, version) vulnerabilities << vuln end else From 3e9c51f18e85d2b015955e61709a32c363541a45 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 6 May 2013 23:36:18 +0200 Subject: [PATCH 04/10] some more work for #179 --- lib/common/models/wp_item/vulnerable.rb | 1 + lib/common/version_compare.rb | 10 +++++++++- spec/shared_examples/wp_item_vulnerable.rb | 4 +--- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/common/models/wp_item/vulnerable.rb b/lib/common/models/wp_item/vulnerable.rb index b13c1dfc..ec100de3 100755 --- a/lib/common/models/wp_item/vulnerable.rb +++ b/lib/common/models/wp_item/vulnerable.rb @@ -5,6 +5,7 @@ class WpItem attr_accessor :vulns_file, :vulns_xpath # Get the vulnerabilities associated to the WpItem + # Filters out already fixed vulnerabilities # # @return [ Vulnerabilities ] def vulnerabilities diff --git a/lib/common/version_compare.rb b/lib/common/version_compare.rb index aa4e9e28..0e1de16d 100644 --- a/lib/common/version_compare.rb +++ b/lib/common/version_compare.rb @@ -1,7 +1,15 @@ # encoding: UTF-8 class VersionCompare + + # Compares two version strings. Returns true if version1 is equal to version2 + # or when version1 is older than version2 + # + # @param [ String ] version1 + # @param [ String ] version2 + # + # @return [ Boolean ] def self.is_newer_or_same?(version1, version2) (version1 == version2) || (Gem::Version.new(version1) < Gem::Version.new(version2)) end -end \ No newline at end of file +end diff --git a/spec/shared_examples/wp_item_vulnerable.rb b/spec/shared_examples/wp_item_vulnerable.rb index 0fb31b98..dc591314 100644 --- a/spec/shared_examples/wp_item_vulnerable.rb +++ b/spec/shared_examples/wp_item_vulnerable.rb @@ -12,9 +12,7 @@ shared_examples 'WpItem::Vulnerable' do describe '#vulnerabilities' do let(:empty_file) { MODELS_FIXTURES + '/wp_item/vulnerable/empty.xml' } - before do - stub_request(:get, /.*/) - end + before { stub_request(:get, /.*/) } after do subject.vulns_file = @vulns_file From b635168fb3b25b149d33ce65d9011c864aadb3e0 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 6 May 2013 23:39:05 +0200 Subject: [PATCH 05/10] xsd refining #179 --- data/plugin_vulns.xml | 1 + data/vuln.xsd | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index de0eb80a..362fc5c4 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -3136,6 +3136,7 @@ https://github.com/FireFart/W3TotalCacheExploit auxiliary/gather/wp_w3_total_cache_hash_extract UNKNOWN + 0.9.2.5 W3-Total-Cache < 0.9.2.9 Remote Code Execution diff --git a/data/vuln.xsd b/data/vuln.xsd index a11e3910..b368e72a 100644 --- a/data/vuln.xsd +++ b/data/vuln.xsd @@ -51,7 +51,7 @@ - + From cdd74b535b1618d4ff0b04081c881b323e64a073 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Tue, 7 May 2013 20:46:08 +0200 Subject: [PATCH 06/10] rspecs #179 --- lib/common/models/wp_item/vulnerable.rb | 26 +++++++++++++------ spec/lib/common/models/vulnerability_spec.rb | 16 ++++++++++-- .../common/models/vulnerability/xml_node.xml | 1 + 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/lib/common/models/wp_item/vulnerable.rb b/lib/common/models/wp_item/vulnerable.rb index ec100de3..ffe2b1c6 100755 --- a/lib/common/models/wp_item/vulnerable.rb +++ b/lib/common/models/wp_item/vulnerable.rb @@ -14,18 +14,28 @@ class WpItem xml.xpath(vulns_xpath).each do |node| vuln = Vulnerability.load_from_xml_node(node) - if vuln - if version && vuln.fixed_in && !vuln.fixed_in.empty? - unless VersionCompare::is_newer_or_same?(vuln.fixed_in, version) - vulnerabilities << vuln - end - else - vulnerabilities << vuln - end + if vulnerable_to?(vuln) + vulnerabilities << vuln end end vulnerabilities end + + # Checks if a item is vulnerable to a specific vulnerability + # + # @param [ Vulnerability ] vuln Vulnerability to check the item against + # + # @return [ Boolean ] + def vulnerable_to?(vuln) + if version && vuln && vuln.fixed_in && !vuln.fixed_in.empty? + unless VersionCompare::is_newer_or_same?(vuln.fixed_in, version) + return true + end + else + return true + end + return false + end end end diff --git a/spec/lib/common/models/vulnerability_spec.rb b/spec/lib/common/models/vulnerability_spec.rb index 14095341..ca0cf959 100644 --- a/spec/lib/common/models/vulnerability_spec.rb +++ b/spec/lib/common/models/vulnerability_spec.rb @@ -5,24 +5,35 @@ require 'spec_helper' describe Vulnerability do describe '#new' do - subject(:vulnerability) { Vulnerability.new(title, type, references, modules) } + subject(:vulnerability) { Vulnerability.new(title, type, references, modules, fixed_version) } let(:title) { 'A vulnerability title' } let(:type) { 'XSS' } let(:references) { %w{http://ref1.com http://ref2.com} } - context 'w/o metasploit modules argument' do + context 'w/o metasploit and fixed version modules argument' do subject(:vulnerability) { Vulnerability.new(title, type, references) } its(:title) { should be title } its(:references) { should be references } its(:type) { should be type } its(:metasploit_modules) { should be_empty } + its(:fixed_in) { should be_empty } end context 'with metasploit modules argument' do + subject(:vulnerability) { Vulnerability.new(title, type, references, modules) } let(:modules) { %w{exploit/some_exploit exploit/unix/anotherone } } its(:metasploit_modules) { should be modules } + its(:fixed_in) { should be_empty } + end + + context 'with metasploit modules and fixed version argument' do + let(:modules) { %w{exploit/some_exploit exploit/unix/anotherone } } + let(:fixed_version) { '1.0' } + + its(:metasploit_modules) { should be modules } + its(:fixed_in) { should == '1.0' } end end @@ -36,6 +47,7 @@ describe Vulnerability do its(:type) { should == 'CSRF' } its(:references) { should == ['Ref 1', 'Ref 2'] } its(:metasploit_modules) { should == %w{exploit/ex1} } + its(:fixed_in) { should == '1.0'} end end diff --git a/spec/samples/common/models/vulnerability/xml_node.xml b/spec/samples/common/models/vulnerability/xml_node.xml index 43e2433c..f02ec5d2 100644 --- a/spec/samples/common/models/vulnerability/xml_node.xml +++ b/spec/samples/common/models/vulnerability/xml_node.xml @@ -4,4 +4,5 @@ Ref 2 CSRF exploit/ex1 + 1.0 From 7a7450f98e339a3a08d14d17b3a627cfda88c506 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 10 May 2013 19:24:17 +0200 Subject: [PATCH 07/10] rspecs and bugfixing(Can't dup nilclass on missing readme.txt) #179 --- lib/common/models/wp_item/versionable.rb | 7 +++- spec/shared_examples/wp_item_vulnerable.rb | 49 +++++++++++++++++++++- 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/lib/common/models/wp_item/versionable.rb b/lib/common/models/wp_item/versionable.rb index 6370e550..9c31520d 100755 --- a/lib/common/models/wp_item/versionable.rb +++ b/lib/common/models/wp_item/versionable.rb @@ -10,8 +10,11 @@ class WpItem # @return [ String ] The version number def version unless @version - response = Browser.get(readme_url) - @version = response.body[%r{stable tag: #{WpVersion.version_pattern}}i, 1] + # This check is needed because readme_url can return nil + if has_readme? + response = Browser.get(readme_url) + @version = response.body[%r{stable tag: #{WpVersion.version_pattern}}i, 1] + end end @version end diff --git a/spec/shared_examples/wp_item_vulnerable.rb b/spec/shared_examples/wp_item_vulnerable.rb index dc591314..cd6640ef 100644 --- a/spec/shared_examples/wp_item_vulnerable.rb +++ b/spec/shared_examples/wp_item_vulnerable.rb @@ -12,7 +12,10 @@ shared_examples 'WpItem::Vulnerable' do describe '#vulnerabilities' do let(:empty_file) { MODELS_FIXTURES + '/wp_item/vulnerable/empty.xml' } - before { stub_request(:get, /.*/) } + before do + stub_request(:get, /.*\/readme\.txt/i) + stub_request(:get, /.*\/style\.css/i) + end after do subject.vulns_file = @vulns_file @@ -36,4 +39,48 @@ shared_examples 'WpItem::Vulnerable' do end end + describe '#vulnerable_to?' do + let(:version_orig) { '1.5.6' } + let(:version_newer) { '1.6' } + let(:version_older) { '1.0' } + let(:newer) { Vulnerability.new('Newer', 'XSS', ['ref'], nil, version_newer) } + let(:older) { Vulnerability.new('Older', 'XSS', ['ref'], nil, version_older) } + let(:same) { Vulnerability.new('Same', 'XSS', ['ref'], nil, version_orig) } + + before do + stub_request(:get, /.*\/readme\.txt/i).to_return(status: 200, body: "Stable Tag: #{version_orig}") + stub_request(:get, /.*\/style\.css/i).to_return(status: 200, body: "Version: #{version_orig}") + end + + context 'check basic version comparing' do + it 'should return true' do + subject.version.should == version_orig + subject.vulnerable_to?(newer).should be_true + end + + it 'should return false' do + subject.version.should == version_orig + subject.vulnerable_to?(older).should be_false + end + + it 'should return false' do + subject.version.should == version_orig + subject.vulnerable_to?(same).should be_false + end + end + + context 'no version found in wp_item' do + before do + stub_request(:get, /.*\/readme\.txt/i).to_return(status: 404) + stub_request(:get, /.*\/style\.css/i).to_return(status: 404) + end + + it 'should return true because no version can be detected' do + subject.vulnerable_to?(newer).should be_true + subject.vulnerable_to?(older).should be_true + subject.vulnerable_to?(same).should be_true + end + end + end + end From 5a4dd31ba7b15aeae714091d8e25eaf555f38984 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 10 May 2013 19:45:31 +0200 Subject: [PATCH 08/10] more rspecs #179 --- lib/common/version_compare.rb | 15 ++- spec/lib/common/version_compare_spec.rb | 109 +++++++++++++++++++++ spec/shared_examples/wp_item_vulnerable.rb | 12 ++- 3 files changed, 131 insertions(+), 5 deletions(-) create mode 100644 spec/lib/common/version_compare_spec.rb diff --git a/lib/common/version_compare.rb b/lib/common/version_compare.rb index 0e1de16d..fc4e322f 100644 --- a/lib/common/version_compare.rb +++ b/lib/common/version_compare.rb @@ -9,7 +9,18 @@ class VersionCompare # @param [ String ] version2 # # @return [ Boolean ] - def self.is_newer_or_same?(version1, version2) - (version1 == version2) || (Gem::Version.new(version1) < Gem::Version.new(version2)) + def self.is_newer_or_same?(version1, version2) + return true if (version1 == version2) + # Both versions must be set + return false unless (version1 and version2) + return false if (version1.empty? or version2.empty?) + begin + return true if (Gem::Version.new(version1) < Gem::Version.new(version2)) + rescue ArgumentError => e + # Example: ArgumentError: Malformed version number string a + return false if e.message =~ /Malformed version number string/ + raise + end + return false end end diff --git a/spec/lib/common/version_compare_spec.rb b/spec/lib/common/version_compare_spec.rb new file mode 100644 index 00000000..7cf7966b --- /dev/null +++ b/spec/lib/common/version_compare_spec.rb @@ -0,0 +1,109 @@ +# encoding: UTF-8 + +require 'spec_helper' + +describe 'VersionCompare' do + describe '::is_newer_or_same?' do + context 'version checked is newer' do + after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_true } + + it 'should return true' do + @version1 = '1.0' + @version2 = '2.0' + end + + it 'should return true' do + @version1 = '1.0' + @version2 = '1.1' + end + + it 'should return true' do + @version1 = '1.0a' + @version2 = '1.0b' + end + + it 'should return true' do + @version1 = '1.0' + @version2 = '5000000' + end + + it 'should return true' do + @version1 = '0' + @version2 = '1' + end + end + + context 'version checked is older' do + after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_false } + + it 'should return false' do + @version1 = '1' + @version2 = '0' + end + + it 'should return false' do + @version1 = '1.0' + @version2 = '0.5' + end + + it 'should return false' do + @version1 = '500000' + @version2 = '1' + end + + it 'should return false' do + @version1 = '1.6.3.7.3.4' + @version2 = '1.2.4.567.679.8.e' + end + end + + context 'version checked is the same' do + after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_true } + + it 'should return true' do + @version1 = '1' + @version2 = '1' + end + + it 'should return true' do + @version1 = 'a' + @version2 = 'a' + end + + end + + context 'version number causes Gem::Version new Exception' do + after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_false } + + it 'should return false' do + @version1 = 'a' + @version2 = 'b' + end + end + + context 'one version number is not set' do + after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_false } + + it 'should return false (version2 nil)' do + @version1 = '1' + @version2 = nil + end + + it 'should return false (version1 nil)' do + @version1 = nil + @version2 = '1' + end + + it 'should return false (version2 empty)' do + @version1 = '1' + @version2 = '' + end + + it 'should return false (version1 empty)' do + @version1 = '' + @version2 = '1' + end + end + + end +end diff --git a/spec/shared_examples/wp_item_vulnerable.rb b/spec/shared_examples/wp_item_vulnerable.rb index cd6640ef..5c25fd44 100644 --- a/spec/shared_examples/wp_item_vulnerable.rb +++ b/spec/shared_examples/wp_item_vulnerable.rb @@ -46,6 +46,7 @@ shared_examples 'WpItem::Vulnerable' do let(:newer) { Vulnerability.new('Newer', 'XSS', ['ref'], nil, version_newer) } let(:older) { Vulnerability.new('Older', 'XSS', ['ref'], nil, version_older) } let(:same) { Vulnerability.new('Same', 'XSS', ['ref'], nil, version_orig) } + let(:no_fixed_info) { Vulnerability.new('Same', 'XSS', ['ref'], nil, nil) } before do stub_request(:get, /.*\/readme\.txt/i).to_return(status: 200, body: "Stable Tag: #{version_orig}") @@ -53,20 +54,25 @@ shared_examples 'WpItem::Vulnerable' do end context 'check basic version comparing' do - it 'should return true' do + it 'should return true because checked version is newer' do subject.version.should == version_orig subject.vulnerable_to?(newer).should be_true end - it 'should return false' do + it 'should return false because checked version is older' do subject.version.should == version_orig subject.vulnerable_to?(older).should be_false end - it 'should return false' do + it 'should return false because checked version is the fixed version' do subject.version.should == version_orig subject.vulnerable_to?(same).should be_false end + + it 'should return true because no fixed_in version is provided' do + subject.version.should == version_orig + subject.vulnerable_to?(no_fixed_info).should be_true + end end context 'no version found in wp_item' do From 46d5dcf8f87797d095d478f38bdfe43bf02c4995 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 10 May 2013 20:26:53 +0200 Subject: [PATCH 09/10] feedback implemented #179 --- spec/lib/common/version_compare_spec.rb | 32 +++++++++++----------- spec/shared_examples/wp_item_vulnerable.rb | 10 +++---- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/spec/lib/common/version_compare_spec.rb b/spec/lib/common/version_compare_spec.rb index 7cf7966b..5127d297 100644 --- a/spec/lib/common/version_compare_spec.rb +++ b/spec/lib/common/version_compare_spec.rb @@ -7,27 +7,27 @@ describe 'VersionCompare' do context 'version checked is newer' do after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_true } - it 'should return true' do + it 'returns true' do @version1 = '1.0' @version2 = '2.0' end - it 'should return true' do + it 'returns true' do @version1 = '1.0' @version2 = '1.1' end - it 'should return true' do + it 'returns true' do @version1 = '1.0a' @version2 = '1.0b' end - it 'should return true' do + it 'returns true' do @version1 = '1.0' @version2 = '5000000' end - it 'should return true' do + it 'returns true' do @version1 = '0' @version2 = '1' end @@ -36,22 +36,22 @@ describe 'VersionCompare' do context 'version checked is older' do after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_false } - it 'should return false' do + it 'returns false' do @version1 = '1' @version2 = '0' end - it 'should return false' do + it 'returns false' do @version1 = '1.0' @version2 = '0.5' end - it 'should return false' do + it 'returns false' do @version1 = '500000' @version2 = '1' end - it 'should return false' do + it 'returns false' do @version1 = '1.6.3.7.3.4' @version2 = '1.2.4.567.679.8.e' end @@ -60,12 +60,12 @@ describe 'VersionCompare' do context 'version checked is the same' do after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_true } - it 'should return true' do + it 'returns true' do @version1 = '1' @version2 = '1' end - it 'should return true' do + it 'returns true' do @version1 = 'a' @version2 = 'a' end @@ -75,7 +75,7 @@ describe 'VersionCompare' do context 'version number causes Gem::Version new Exception' do after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_false } - it 'should return false' do + it 'returns false' do @version1 = 'a' @version2 = 'b' end @@ -84,22 +84,22 @@ describe 'VersionCompare' do context 'one version number is not set' do after { VersionCompare::is_newer_or_same?(@version1, @version2).should be_false } - it 'should return false (version2 nil)' do + it 'returns false (version2 nil)' do @version1 = '1' @version2 = nil end - it 'should return false (version1 nil)' do + it 'returns false (version1 nil)' do @version1 = nil @version2 = '1' end - it 'should return false (version2 empty)' do + it 'returns false (version2 empty)' do @version1 = '1' @version2 = '' end - it 'should return false (version1 empty)' do + it 'returns false (version1 empty)' do @version1 = '' @version2 = '1' end diff --git a/spec/shared_examples/wp_item_vulnerable.rb b/spec/shared_examples/wp_item_vulnerable.rb index 5c25fd44..b42d196e 100644 --- a/spec/shared_examples/wp_item_vulnerable.rb +++ b/spec/shared_examples/wp_item_vulnerable.rb @@ -54,22 +54,22 @@ shared_examples 'WpItem::Vulnerable' do end context 'check basic version comparing' do - it 'should return true because checked version is newer' do + it 'returns true because checked version is newer' do subject.version.should == version_orig subject.vulnerable_to?(newer).should be_true end - it 'should return false because checked version is older' do + it 'returns false because checked version is older' do subject.version.should == version_orig subject.vulnerable_to?(older).should be_false end - it 'should return false because checked version is the fixed version' do + it 'returns false because checked version is the fixed version' do subject.version.should == version_orig subject.vulnerable_to?(same).should be_false end - it 'should return true because no fixed_in version is provided' do + it 'returns true because no fixed_in version is provided' do subject.version.should == version_orig subject.vulnerable_to?(no_fixed_info).should be_true end @@ -81,7 +81,7 @@ shared_examples 'WpItem::Vulnerable' do stub_request(:get, /.*\/style\.css/i).to_return(status: 404) end - it 'should return true because no version can be detected' do + it 'returns true because no version can be detected' do subject.vulnerable_to?(newer).should be_true subject.vulnerable_to?(older).should be_true subject.vulnerable_to?(same).should be_true From fe5bef0f3ba69aa773c2a5541e76d75661cfcb54 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Fri, 10 May 2013 21:25:38 +0200 Subject: [PATCH 10/10] added some fixed_in tags #179 --- data/plugin_vulns.xml | 199 ++++++++++++++++++++++++++++-------------- 1 file changed, 132 insertions(+), 67 deletions(-) diff --git a/data/plugin_vulns.xml b/data/plugin_vulns.xml index 362fc5c4..9b9fe9f3 100644 --- a/data/plugin_vulns.xml +++ b/data/plugin_vulns.xml @@ -21,26 +21,29 @@ LFI - UnGallery Arbitrary < 2.1.6 Command Execution + UnGallery Arbitrary Command Execution http://secunia.com/advisories/50875/ http://ceriksen.com/2012/10/23/wordpress-ungallery-remote-command-injection-vulnerability/ RCE + 2.1.6 - Thank You Counter Button < 1.8.3 XSS + Thank You Counter Button XSS http://secunia.com/advisories/50977/ XSS + 1.8.3 - Bookings < 1.8.3 XSS + Bookings XSS http://secunia.com/advisories/50975/ XSS + 1.8.3 @@ -55,17 +58,19 @@ - WordPress FireStorm Professional Real Estate Plugin < 2.06.04 "id" SQL Injection Vulnerability + WordPress FireStorm Professional Real Estate Plugin "id" SQL Injection Vulnerability http://secunia.com/advisories/51107/ SQLI + 2.06.04 - FireStorm Professional Real Estate Plugin < 2.06.03 Multiple SQL Injection + FireStorm Professional Real Estate Plugin Multiple SQL Injection http://secunia.com/advisories/50873/ http://ceriksen.com/2012/10/25/wordpress-firestorm-professional-real-estate-plugin-sql-injection-vulnerability/ SQLI + 2.06.03 @@ -123,13 +128,14 @@ - Google Document Embedder < 2.5.4 Arbitrary File Disclosure + Google Document Embedder Arbitrary File Disclosure http://www.exploit-db.com/exploits/23970/ http://ceriksen.com/2013/01/03/wordpress-google-document-embedder-arbitrary-file-disclosure/ http://secunia.com/advisories/50832/ exploit/unix/webapp/wp_google_document_embedder_exec UNKNOWN + 2.5.4 @@ -211,10 +217,11 @@ - Shopping Cart <, 8.1.15 Shell Upload / SQL Injection + Shopping Cart Shell Upload / SQL Injection http://packetstormsecurity.com/files/119217/wplevelfour-sqlshell.txt http://secunia.com/advisories/51690/ MULTI + 8.1.15 @@ -454,9 +461,10 @@ XSS - WordPress Carousel Slideshow Plugin < 3.10 Unspecified Vulnerabilities + WordPress Carousel Slideshow Plugin Unspecified Vulnerabilities http://secunia.com/advisories/50377/ UNKNOWN + 3.10 @@ -517,9 +525,10 @@ XSS - WordPress Image News slider Plugin < 3.4 Unspecified Vulnerabilities + WordPress Image News slider Plugin Unspecified Vulnerabilities http://secunia.com/advisories/50390/ UNKNOWN + 3.4 @@ -601,11 +610,12 @@ - Ajax Post Search < 1.3 Sql Injection + Ajax Post Search Sql Injection http://seclists.org/bugtraq/2012/Nov/33 http://secunia.com/advisories/51205/ http://www.girlinthemiddle.net/2012/10/sqli-vulnerability-in-ajax-post-search.html SQLI + 1.3 @@ -769,10 +779,11 @@ - Backup Plugin < 2.1 Information Disclosure + Backup Plugin Information Disclosure http://www.exploit-db.com/exploits/19524/ http://secunia.com/advisories/50038/ UNKNOWN + 2.1 @@ -980,9 +991,10 @@ AUTHBYPASS - WordPress Mac Photo Gallery Plugin < 3.0 Multiple Script Insertion Vulnerabilities + WordPress Mac Photo Gallery Plugin Multiple Script Insertion Vulnerabilities http://secunia.com/advisories/49836/ XSS + 3.0 Mac Photo Gallery 2.7 Arbitrary File Upload @@ -1139,9 +1151,10 @@ MULTI - store-locator-le < 3.8.7 SQL Injection + store-locator-le SQL Injection http://secunia.com/advisories/51757/ SQLI + 3.8.7 @@ -1433,9 +1446,10 @@ - Login With Ajax plugin < 3.0.4.1 Cross Site Scripting + Login With Ajax plugin Cross Site Scripting http://secunia.com/advisories/49013/ XSS + 3.0.4.1 @@ -1462,9 +1476,10 @@ - WordPress Zingiri Web Shop Plugin < 2.4.8 Cookie SQL Injection Vulnerability + WordPress Zingiri Web Shop Plugin Cookie SQL Injection Vulnerability http://secunia.com/advisories/49398/ SQLI + 2.4.8 Zingiri Web Shop <= 2.4.0 Multiple XSS Vulnerabilities @@ -1711,9 +1726,10 @@ - Click Desk Live Support Chat < 2.0 Cross Site Scripting Vulnerability + Click Desk Live Support Chat Cross Site Scripting Vulnerability http://seclists.org/bugtraq/2011/Nov/148 XSS + 2.0 @@ -2142,9 +2158,10 @@ MULTI - WP-Cumulus < 1.23 Cross Site Scripting Vulnerabily + WP-Cumulus Cross Site Scripting Vulnerabily http://seclists.org/fulldisclosure/2011/Nov/340 XSS + 1.23 @@ -2573,9 +2590,10 @@ - WordPress yolink Search Plugin < 2.6 "s" Cross-Site Scripting Vulnerability + WordPress yolink Search Plugin "s" Cross-Site Scripting Vulnerability http://secunia.com/advisories/52030/ XSS + 2.6 yolink Search plugin <= 1.1.4 SQL Injection Vulnerability @@ -2753,9 +2771,10 @@ SQLI - WordPress WP-Filebase Plugin < 0.2.9.25 Unspecified Vulnerabilities + WordPress WP-Filebase Plugin Unspecified Vulnerabilities http://secunia.com/advisories/51269/ UNKNOWN + 0.2.9.25 @@ -2840,9 +2859,10 @@ RFI - Mailing List < 1.4.1 Arbitrary file download + Mailing List Arbitrary file download http://www.exploit-db.com/exploits/18276/ UNKNOWN + 1.4.1 @@ -3047,9 +3067,10 @@ - WordPress GD Star Rating Plugin < 1.9.19 Export Security Bypass Security Issue + WordPress GD Star Rating Plugin Export Security Bypass Security Issue http://secunia.com/advisories/49850/ AUTHBYPASS + 1.9.19 GD Star Rating plugin <= 1.9.16 Cross Site Scripting @@ -3083,19 +3104,22 @@ XSS - WP Photo Album Plus < 4.9.1 Full Path Disclosure + WP Photo Album Plus Full Path Disclosure http://1337day.com/exploit/20125 FPD + 4.9.1 - WP Photo Album Plus < 4.9.3 XSS + WP Photo Album Plus XSS http://secunia.com/advisories/51829/ XSS + 4.9.3 - WP Photo Album Plus < 4.9.3 XSS + WP Photo Album Plus XSS http://secunia.com/advisories/51669/ XSS + 4.9.3 @@ -3114,24 +3138,26 @@ - portable-phpMyAdmin < 1.3.1 Authentication Bypass + portable-phpMyAdmin Authentication Bypass http://www.exploit-db.com/exploits/23356 http://secunia.com/advisories/51520/ AUTHBYPASS + 1.3.1 - super-refer-a-friend < 1.0 Full Path Disclosure + super-refer-a-friend Full Path Disclosure http://1337day.com/exploit/20126 FPD + 1.0 - W3-Total-Cache 0.9.2.4 (or before) Username and Hash Extract + W3-Total-Cache Username and Hash Extract http://seclists.org/fulldisclosure/2012/Dec/242 https://github.com/FireFart/W3TotalCacheExploit auxiliary/gather/wp_w3_total_cache_hash_extract @@ -3139,7 +3165,7 @@ 0.9.2.5 - W3-Total-Cache < 0.9.2.9 Remote Code Execution + W3-Total-Cache Remote Code Execution http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/ http://wordpress.org/support/topic/pwn3d http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html @@ -3151,11 +3177,12 @@ - WP-Super-Cache < 1.3.1 Remote Code Execution + WP-Super-Cache Remote Code Execution http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/ http://wordpress.org/support/topic/pwn3d http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html RCE + 1.3.1 @@ -3198,30 +3225,34 @@ - Simple Login Log Plugin < 0.9.4 XSS + Simple Login Log Plugin XSS http://secunia.com/advisories/51780/ XSS + 0.9.4 - Simple Login Log Plugin < 0.9.4 SQL Injection + Simple Login Log Plugin SQL Injection http://secunia.com/advisories/51780/ SQLI + 0.9.4 - wp-slimstat < 2.8.5 XSS + wp-slimstat XSS http://secunia.com/advisories/51721/ XSS + 2.8.5 - browser-rejector < 2.11 Remote and Local File Inclusion + browser-rejector Remote and Local File Inclusion http://secunia.com/advisories/51739/ LFI + 2.11 @@ -3235,9 +3266,10 @@ - WordPress Poll Plugin < 34.06 Cross-Site Request Forgery Vulnerability + WordPress Poll Plugin Cross-Site Request Forgery Vulnerability http://secunia.com/advisories/51925/ CSRF + 34.06 Multiple SQL injection vulnerabilities in Cardoza Wordpress poll plugin @@ -3247,9 +3279,10 @@ SQLI - WordPress Poll Plugin < 33.6 Multiple SQL Injection Vulnerabilities + WordPress Poll Plugin Multiple SQL Injection Vulnerabilities http://secunia.com/advisories/50910/ SQLI + 33.6 @@ -3265,26 +3298,29 @@ - WordPress DVS Custom Notification Plugin < 1.0.1 Cross-Site Request Forgery Vulnerability + WordPress DVS Custom Notification Plugin Cross-Site Request Forgery Vulnerability http://secunia.com/advisories/51531/ CSRF + 1.0.1 - WordPress Events Manager Plugin < 5.3.4 Multiple Cross-Site Scripting Vulnerabilities + WordPress Events Manager Plugin Multiple Cross-Site Scripting Vulnerabilities http://secunia.com/advisories/51869/ XSS + 5.3.4 - WordPress SolveMedia < 1.1.1 CSRF Vulnerability + WordPress SolveMedia CSRF Vulnerability http://1337day.com/exploit/20222 http://secunia.com/advisories/51927/ CSRF + 1.1.1 @@ -3330,9 +3366,10 @@ - WordPress vTiger CRM Lead Capture Plugin < 1.1.0 Unspecified Vulnerability + WordPress vTiger CRM Lead Capture Plugin Unspecified Vulnerability http://secunia.com/advisories/51305/ UNKNOWN + 1.1.0 @@ -3354,18 +3391,20 @@ - SQL Injection Vulnerability in Wysija Newsletters WordPress Plugin < 2.2.1 + SQL Injection Vulnerability in Wysija Newsletters WordPress Plugin https://www.htbridge.com/advisory/HTB23140 http://packetstormsecurity.com/files/120089/wpwysijanl-sql.txt http://seclists.org/bugtraq/2013/Feb/29 http://cxsecurity.com/issue/WLB-2013020039 SQLI + 2.2.1 - WordPress Wysija Newsletters Plugin < 2.1.7 swfupload Cross-Site Scripting Vulnerability + WordPress Wysija Newsletters Plugin swfupload Cross-Site Scripting Vulnerability http://secunia.com/advisories/51249/ http://brindi.si/g/blog/vulnerable-swf-bundled-in-wordpress-plugins.html XSS + 2.1.7 @@ -3395,65 +3434,73 @@ - WordPress Zingiri Form Builder Plugin < 1.2.1 "error" Cross-Site Scripting Vulnerability + WordPress Zingiri Form Builder Plugin "error" Cross-Site Scripting Vulnerability http://secunia.com/advisories/50983/ XSS + 1.2.1 - WordPress White Label CMS Plugin < 1.5.1 Cross-Site Request Forgery Vulnerability + WordPress White Label CMS Plugin Cross-Site Request Forgery Vulnerability http://secunia.com/advisories/50487/ CSRF + 1.5.1 - Wordpress Download Shortcode Plugin < 0.2.1 "file" Arbitrary File Disclosure Vulnerability + Wordpress Download Shortcode Plugin "file" Arbitrary File Disclosure Vulnerability http://secunia.com/advisories/50924/ LFI + 0.2.1 - WordPress Crayon Syntax Highlighter Plugin < 1.13"wp_load" Remote File Inclusion Vulnerability + WordPress Crayon Syntax Highlighter Plugin "wp_load" Remote File Inclusion Vulnerability http://secunia.com/advisories/50804/ RFI + 1.13 - WordPress eShop Magic Plugin < 0.2 "file" Arbitrary File Disclosure Vulnerability + WordPress eShop Magic Plugin "file" Arbitrary File Disclosure Vulnerability http://secunia.com/advisories/50933/ LFI + 0.2 - WordPress Pinterest "Pin It" Button Lite Plugin < 1.4.0 Multiple Unspecified Vulnerabilities + WordPress Pinterest "Pin It" Button Lite Plugin Multiple Unspecified Vulnerabilities http://secunia.com/advisories/50868/ MULTI + 1.4.0 - WordPress CSS Plus Plugin < 1.3.2 Unspecified Vulnerabilities + WordPress CSS Plus Plugin Unspecified Vulnerabilities http://secunia.com/advisories/50793/ UNKNOWN + 1.3.2 - WordPress Multisite Plugin Manager Plugin < 3.1.2 Two Cross-Site Scripting Vulnerabilities + WordPress Multisite Plugin Manager Plugin Two Cross-Site Scripting Vulnerabilities http://secunia.com/advisories/50762/ XSS + 3.1.2 @@ -3504,9 +3551,10 @@ XSS - WordPress WP-TopBar Plugin < 4.0.3 Cross-Site Request Forgery Vulnerability + WordPress WP-TopBar Plugin Cross-Site Request Forgery Vulnerability http://secunia.com/advisories/50693/ CSRF + 4.0.3 @@ -3520,25 +3568,28 @@ - WordPress Cloudsafe365 Plugin < 1.47 Multiple Vulnerabilities + WordPress Cloudsafe365 Plugin Multiple Vulnerabilities http://secunia.com/advisories/50392/ MULTI + 1.47 - WordPress Vitamin Plugin < 1.1 Two Arbitrary File Disclosure Vulnerabilities + WordPress Vitamin Plugin Two Arbitrary File Disclosure Vulnerabilities http://secunia.com/advisories/50176/ LFI + 1.1 - WordPress Featured Post with thumbnail Plugin < 1.5 Unspecified timthumb Vulnerability + WordPress Featured Post with thumbnail Plugin Unspecified timthumb Vulnerability http://secunia.com/advisories/50161/ UNKNOWN + 1.5 @@ -3552,10 +3603,11 @@ - WordPress XVE Various Embed Plugin JW Player < 1.0.4 Multiple Cross-Site Scripting Vulnerabilities + <title>WordPress XVE Various Embed Plugin JW Player Multiple Cross-Site Scripting Vulnerabilities http://secunia.com/advisories/50173/ XSS + 1.0.4 @@ -3569,41 +3621,46 @@ - WordPress Backend Localization Plugin < 2.0 Cross-Site Scripting Vulnerabilities + WordPress Backend Localization Plugin Cross-Site Scripting Vulnerabilities http://secunia.com/advisories/50099/ XSS + 2.0 - WordPress Flexi Quote Rotator Plugin < 0.9.2 Cross-Site Request Forgery and SQL Injection Vulnerabilities + WordPress Flexi Quote Rotator Plugin Cross-Site Request Forgery and SQL Injection Vulnerabilities http://secunia.com/advisories/49910/ MULTI + 0.9.2 - WordPress Get Off Malicious Scripts < 1.2.07.20 Cross-Site Scripting Vulnerability + WordPress Get Off Malicious Scripts Cross-Site Scripting Vulnerability http://secunia.com/advisories/50030/ XSS + 1.2.07.20 - WordPress Cimy User Extra Fields Plugin < 2.3.9 Arbitrary File Upload Vulnerability + WordPress Cimy User Extra Fields Plugin Arbitrary File Upload Vulnerability http://secunia.com/advisories/49975/ UPLOAD + 2.3.9 - WordPress Nmedia Users File Uploader Plugin < 2.0 Arbitrary File Upload Vulnerability + WordPress Nmedia Users File Uploader Plugin Arbitrary File Upload Vulnerability http://secunia.com/advisories/49996/ UPLOAD + 2.0 @@ -3657,9 +3714,10 @@ - WordPress Simple History Plugin < 1.0.8 RSS Feed "rss_secret" Disclosure Weakness + WordPress Simple History Plugin RSS Feed "rss_secret" Disclosure Weakness http://secunia.com/advisories/51998/ UNKNOWN + 1.0.8 @@ -3678,11 +3736,12 @@ XSS - Wordpress wp-table-reloaded plugin < 1.9.4 cross-site scripting in SWF + Wordpress wp-table-reloaded plugin cross-site scripting in SWF http://packetstormsecurity.com/files/119968/wptablereloaded-xss.txt http://secunia.com/advisories/52027/ http://seclists.org/bugtraq/2013/Feb/28 XSS + 1.9.4 @@ -3712,13 +3771,14 @@ - Cross-Site Scripting (XSS) Vulnerability in CommentLuv WordPress Plugin < 2.92.4 + Cross-Site Scripting (XSS) Vulnerability in CommentLuv WordPress Plugin https://www.htbridge.com/advisory/HTB23138 http://packetstormsecurity.com/files/120090/wpcommentluv-xss.txt http://seclists.org/bugtraq/2013/Feb/30 http://cxsecurity.com/issue/WLB-2013020040 http://secunia.com/advisories/52092/ XSS + 2.92.4 @@ -3732,18 +3792,20 @@ - WordPress WP ecommerce Shop Styling Plugin < 1.8 "dompdf" Remote File Inclusion Vulnerability + WordPress WP ecommerce Shop Styling Plugin "dompdf" Remote File Inclusion Vulnerability http://secunia.com/advisories/51707/ RFI + 1.8 - Wordpress Audio Player Plugin < 2.0.4.6 XSS in SWF + Wordpress Audio Player Plugin XSS in SWF http://seclists.org/bugtraq/2013/Feb/35 http://secunia.com/advisories/52083/ XSS + 2.0.4.6 @@ -4211,26 +4273,29 @@ - bigcontact < 1.4.7 SQLI + bigcontact SQLI http://plugins.trac.wordpress.org/changeset/689798 SQLI + 1.4.7 - drawblog < 0.81 CSRF + drawblog CSRF http://plugins.trac.wordpress.org/changeset/691178 CSRF + 0.81 - social-media-widget < 4.0.1 malicious code + social-media-widget malicious code http://plugins.trac.wordpress.org/changeset?reponame=&old=691839%40social-media-widget%2Ftrunk&new=693941%40social-media-widget%2Ftrunk http://slashdot.org/submission/2592777/top-wordpress-widget-sold-off-turned-into-seo-spambot UNKNOWN + 4.0.1