aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/nikto/APKBUILD16
-rw-r--r--main/nikto/CVE-2018-11652.patch101
2 files changed, 113 insertions, 4 deletions
diff --git a/main/nikto/APKBUILD b/main/nikto/APKBUILD
index 432fd2c473..711226779f 100644
--- a/main/nikto/APKBUILD
+++ b/main/nikto/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Fabio Aires <fabioaires.web@gmail.com>
pkgname=nikto
pkgver=2.1.6
-pkgrel=1
+pkgrel=2
pkgdesc="A web application security scanner"
url="https://www.cirt.net/Nikto2"
arch="noarch"
@@ -10,9 +10,14 @@ license="GPL-2.0"
options="!check" # No test suite
depends="perl nmap openssl"
source="$pkgname-$pkgver.tar.gz::https://github.com/sullo/nikto/archive/$pkgver.tar.gz
- nikto.conf.base"
+ nikto.conf.base
+ CVE-2018-11652.patch"
builddir="$srcdir/$pkgname-$pkgver/program"
+# secfixes:
+# 2.1.6-r2:
+# - CVE-2018-11652
+
build() {
cd "$builddir"
return 0
@@ -29,5 +34,8 @@ package() {
install -m 755 nikto.pl "$pkgdir"/usr/bin
}
-sha512sums="13632018ef6862de7dc53c674d7266fcfb7e164bcf3070327c103cbf8737720ffb710ccc8949acc920a6e0a85da1bb7575d073ee245bc2ba3a8a292ad1695e69 nikto-2.1.6.tar.gz
-d6e349bd20428e45d6ef49db91630e1c6d65d4cf2107a1f4c58e697d8fceeb428fb90c247fbbf8a8ad6f9d27672790d07040079b94c2480dd77dc445fccd6f69 nikto.conf.base"
+sha512sums="
+13632018ef6862de7dc53c674d7266fcfb7e164bcf3070327c103cbf8737720ffb710ccc8949acc920a6e0a85da1bb7575d073ee245bc2ba3a8a292ad1695e69 nikto-2.1.6.tar.gz
+d6e349bd20428e45d6ef49db91630e1c6d65d4cf2107a1f4c58e697d8fceeb428fb90c247fbbf8a8ad6f9d27672790d07040079b94c2480dd77dc445fccd6f69 nikto.conf.base
+c8be4198d6112f7cdcf21ca9a11baff39c0e7f6f63ff364b6bece8362beb4d1393ba0ed1f88ed9273fcf6bad7f8c81e46d73566cb56f0ee017898ddef799cae0 CVE-2018-11652.patch
+"
diff --git a/main/nikto/CVE-2018-11652.patch b/main/nikto/CVE-2018-11652.patch
new file mode 100644
index 0000000000..b6d561798e
--- /dev/null
+++ b/main/nikto/CVE-2018-11652.patch
@@ -0,0 +1,101 @@
+From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
+From: sullo <sullo@cirt.net>
+Date: Thu, 31 May 2018 23:30:03 -0400
+Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
+ Server string & CSV output is opened in Excel or other spreadsheet app.
+ Potentially malicious cell start characters are now prefaced with a ' mark.
+ Thanks to Adam (@bytesoverbombs) for letting me know!
+
+Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
+---
+ program/plugins/nikto_outdated.plugin | 2 +-
+ program/plugins/nikto_report_csv.plugin | 41 +++++++++++++++----------
+ 2 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/program/plugins/nikto_outdated.plugin b/program/plugins/nikto_outdated.plugin
+index 219505ce..08562c5d 100644
+--- program/plugins/nikto_outdated.plugin
++++ program/plugins/nikto_outdated.plugin
+@@ -88,7 +88,7 @@ sub nikto_outdated {
+ $sepr = substr($sepr, (length($sepr) - 1), 1);
+
+ # break up ID string on $sepr
+- my @T = split(/$sepr/, $mark->{'banner'});
++ my @T = split(/\\$sepr/, $mark->{'banner'});
+
+ # assume last is version...
+ for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
+diff --git a/program/plugins/nikto_report_csv.plugin b/program/plugins/nikto_report_csv.plugin
+index ce65cfef..76bdb3fd 100644
+--- program/plugins/nikto_report_csv.plugin
++++ program/plugins/nikto_report_csv.plugin
+@@ -53,10 +53,11 @@ sub csv_host_start {
+ my ($handle, $mark) = @_;
+ $mark->{'banner'} =~ s/"/\\"/g;
+ my $hostname = $mark->{'vhost'} ? $mark->{'vhost'} : $mark->{'hostname'};
+- print $handle "\"$hostname\","
+- . "\"$mark->{'ip'}\","
+- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
+- . "\"$mark->{'banner'}\"\n";
++ print $handle "\"" . csv_safecell($hostname) . "\","
++ . "\"" . csv_safecell($mark->{'ip'}) . "\","
++ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
++ #. "\"" . $mark->{'banner'} . "\"\n";
++ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
+ return;
+ }
+
+@@ -67,33 +68,41 @@ sub csv_item {
+ foreach my $uri (split(' ', $item->{'uri'})) {
+ my $line = '';
+ my $hostname = $item->{'mark'}->{'vhost'} ? $item->{'mark'}->{'vhost'} : $item->{'mark'}->{'hostname'};
+- $line .= "\"$hostname\",";
+- $line .= "\"$item->{'mark'}->{'ip'}\",";
+- $line .= "\"$item->{'mark'}->{'port'}\",";
++ $line .= "\"" . csv_safecell($hostname) . "\",";
++ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
++ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
+
+ $line .= "\"";
+ if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
+ $line .= "\",";
+
+ $line .= "\"";
+- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
++ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
+ $line .= "\",";
+
+ $line .= "\"";
+ if (($uri ne '') && ($mark->{'root'} ne '') && ($uri !~ /^$mark->{'root'}/))
+- { $line .= $mark->{'root'} . $uri; }
+- else { $line .= $uri; }
++ { $line .= csv_safecell($mark->{'root'}) . $uri; }
++ else { $line .= csv_safecell($uri); }
+ $line .= "\",";
+
+- my $msg = $item->{'message'};
+- $uri=quotemeta($uri);
+- my $root = quotemeta($mark->{'root'});
+- $msg =~ s/^$uri:\s//;
+- $msg =~ s/^$root$uri:\s//;
++ my $msg = $item->{'message'};
++ $uri=quotemeta($uri);
++ my $root = quotemeta($mark->{'root'});
++ $msg =~ s/^$uri:\s//;
++ $msg =~ s/^$root$uri:\s//;
+ $msg =~ s/"/\\"/g;
+- $line .= "\"$msg\"";
++ $line .= "\"" . csv_safecell($msg) ."\"";
+ print $handle "$line\n";
+ }
+ }
+
++###############################################################################
++# prevent CSV injection attacks
++sub csv_safecell {
++ my $celldata = $_[0] || return;
++ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
++ return $celldata;
++}
++
+ 1;