2 files changed, 108 insertions, 1 deletions
diff --git a/recipes-security/nikto/files/CVE-2018-11652.patch b/recipes-security/nikto/files/CVE-2018-11652.patch
new file mode 100644
index 0000000..5ddb169
--- /dev/null
+++ b/recipes-security/nikto/files/CVE-2018-11652.patch
@@ -0,0 +1,106 @@
+From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
+From: sullo <sullo@cirt.net>
+Date: Thu, 31 May 2018 23:30:03 -0400
+Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
+ Server string & CSV output is opened in Excel or other spreadsheet app.
+ Potentially malicious cell start characters are now prefaced with a ' mark.
+ Thanks to Adam (@bytesoverbombs) for letting me know!
+Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
+CVE: CVE-2018-11652
+Upstream-Status: Backport
+Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
+---
+ plugins/nikto_outdated.plugin   |  2 +-
+ plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------
+ 2 files changed, 31 insertions(+), 13 deletions(-)
+diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin
+index 72379cc..eb1d889 100644
+--- a/plugins/nikto_outdated.plugin
+++ b/plugins/nikto_outdated.plugin
+@@ -83,7 +83,7 @@ sub nikto_outdated {
+             $sepr = substr($sepr, (length($sepr) - 1), 1);
+ 
+             # break up ID string on $sepr
+-            my @T = split(/$sepr/, $mark->{'banner'});
+            my @T = split(/\\$sepr/, $mark->{'banner'});
+ 
+             # assume last is version...
+             for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
+diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin
+index d13acab..b942e78 100644
+--- a/plugins/nikto_report_csv.plugin
+++ b/plugins/nikto_report_csv.plugin
+@@ -52,10 +52,12 @@ sub csv_open {
+ sub csv_host_start {
+     my ($handle, $mark) = @_;
+     $mark->{'banner'} =~ s/"/\\"/g;
+-    print OUT "\"$mark->{'hostname'}\","
+-      . "\"$mark->{'ip'}\","
+-      . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
+-      . "\"$mark->{'banner'}\"\n";
+    print $handle "\"" . csv_safecell($hostname) . "\","
+      . "\"" . csv_safecell($mark->{'ip'}) . "\","
+      . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
+      #. "\"" . $mark->{'banner'} . "\"\n";
+      . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
+
+     return;
+ }
+ 
+@@ -65,26 +67,42 @@ sub csv_item {
+     my ($handle, $mark, $item) = @_;
+     foreach my $uri (split(' ', $item->{'uri'})) {
+         my $line = '';
+-        $line .= "\"$item->{'mark'}->{'hostname'}\",";
+-        $line .= "\"$item->{'mark'}->{'ip'}\",";
+-        $line .= "\"$item->{'mark'}->{'port'}\",";
+        $line .= "\"" . csv_safecell($hostname) . "\",";
+        $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
+        $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
+ 
+         $line .= "\"";
+         if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
+         $line .= "\",";
+ 
+         $line .= "\"";
+-        if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
+        if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
+         $line .= "\",";
+ 
+         $line .= "\"";
+-        if ($uri ne '') { $line .= $mark->{'root'} . $uri; }
+                       { $line .= csv_safecell($mark->{'root'}) . $uri; }
+               else { $line .= csv_safecell($ur
+         $line .= "\",";
+ 
+-        $item->{'message'} =~ s/"/\\"/g;
+-        $line .= "\"$item->{'message'}\"";
+-        print $handle "$line\n";
+       my $msg = $item->{'message'};
+       $uri=quotemeta($uri);
+       my $root = quotemeta($mark->{'root'});
+       $msg =~ s/^$uri:\s//;
+       $msg =~ s/^$root$uri:\s//;
+         $msg =~ s/"/\\"/g;
+        $line .= "\"" . csv_safecell($msg) ."\"";
+         print $handle "$line\n";
+
+     }
+ }
+ 
+###############################################################################
+# prevent CSV injection attacks
+sub csv_safecell {
+    my $celldata = $_[0] || return;
+    if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
+    return $celldata;
+}
+
+
+ 1;
+-- 
+2.6.4
diff --git a/recipes-security/nikto/nikto_2.1.5.bb b/recipes-security/nikto/nikto_2.1.5.bb
index 8080d4a..19eb14f 100644
--- a/recipes-security/nikto/nikto_2.1.5.bb
+++ b/recipes-security/nikto/nikto_2.1.5.bb
@@ -7,7 +7,8 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
 SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \
-           file://location.patch"
+           file://location.patch \
+           file://CVE-2018-11652.patch"
 SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e"
 SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f"

diff --git a/recipes-security/nikto/files/CVE-2018-11652.patch b/recipes-security/nikto/files/CVE-2018-11652.patch new file mode 100644 index 0000000..5ddb169 --- /dev/null +++ b/recipes-security/nikto/files/CVE-2018-11652.patch
@@ -0,0 +1,106 @@
		1	From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
		2	From: sullo <sullo@cirt.net>
		3	Date: Thu, 31 May 2018 23:30:03 -0400
		4	Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
		5	Server string & CSV output is opened in Excel or other spreadsheet app.
		6	Potentially malicious cell start characters are now prefaced with a ' mark.
		7	Thanks to Adam (@bytesoverbombs) for letting me know!
		8
		9	Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
		10
		11	CVE: CVE-2018-11652
		12	Upstream-Status: Backport
		13	Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
		14	---
		15	plugins/nikto_outdated.plugin \| 2 +-
		16	plugins/nikto_report_csv.plugin \| 42 +++++++++++++++++++++++++++++------------
		17	2 files changed, 31 insertions(+), 13 deletions(-)
		18
		19	diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin
		20	index 72379cc..eb1d889 100644
		21	--- a/plugins/nikto_outdated.plugin
		22	+++ b/plugins/nikto_outdated.plugin
		23	@@ -83,7 +83,7 @@ sub nikto_outdated {
		24	$sepr = substr($sepr, (length($sepr) - 1), 1);
		25
		26	# break up ID string on $sepr
		27	- my @T = split(/$sepr/, $mark->{'banner'});
		28	+ my @T = split(/\\$sepr/, $mark->{'banner'});
		29
		30	# assume last is version...
		31	for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
		32	diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin
		33	index d13acab..b942e78 100644
		34	--- a/plugins/nikto_report_csv.plugin
		35	+++ b/plugins/nikto_report_csv.plugin
		36	@@ -52,10 +52,12 @@ sub csv_open {
		37	sub csv_host_start {
		38	my ($handle, $mark) = @_;
		39	$mark->{'banner'} =~ s/"/\\"/g;
		40	- print OUT "\"$mark->{'hostname'}\","
		41	- . "\"$mark->{'ip'}\","
		42	- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
		43	- . "\"$mark->{'banner'}\"\n";
		44	+ print $handle "\"" . csv_safecell($hostname) . "\","
		45	+ . "\"" . csv_safecell($mark->{'ip'}) . "\","
		46	+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
		47	+ #. "\"" . $mark->{'banner'} . "\"\n";
		48	+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
		49	+
		50	return;
		51	}
		52
		53	@@ -65,26 +67,42 @@ sub csv_item {
		54	my ($handle, $mark, $item) = @_;
		55	foreach my $uri (split(' ', $item->{'uri'})) {
		56	my $line = '';
		57	- $line .= "\"$item->{'mark'}->{'hostname'}\",";
		58	- $line .= "\"$item->{'mark'}->{'ip'}\",";
		59	- $line .= "\"$item->{'mark'}->{'port'}\",";
		60	+ $line .= "\"" . csv_safecell($hostname) . "\",";
		61	+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
		62	+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
		63
		64	$line .= "\"";
		65	if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
		66	$line .= "\",";
		67
		68	$line .= "\"";
		69	- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
		70	+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
		71	$line .= "\",";
		72
		73	$line .= "\"";
		74	- if ($uri ne '') { $line .= $mark->{'root'} . $uri; }
		75	+ { $line .= csv_safecell($mark->{'root'}) . $uri; }
		76	+ else { $line .= csv_safecell($ur
		77	$line .= "\",";
		78
		79	- $item->{'message'} =~ s/"/\\"/g;
		80	- $line .= "\"$item->{'message'}\"";
		81	- print $handle "$line\n";
		82	+ my $msg = $item->{'message'};
		83	+ $uri=quotemeta($uri);
		84	+ my $root = quotemeta($mark->{'root'});
		85	+ $msg =~ s/^$uri:\s//;
		86	+ $msg =~ s/^$root$uri:\s//;
		87	+ $msg =~ s/"/\\"/g;
		88	+ $line .= "\"" . csv_safecell($msg) ."\"";
		89	+ print $handle "$line\n";
		90	+
		91	}
		92	}
		93
		94	+###############################################################################
		95	+# prevent CSV injection attacks
		96	+sub csv_safecell {
		97	+ my $celldata = $_[0] \|\| return;
		98	+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
		99	+ return $celldata;
		100	+}
		101	+
		102	+
		103	1;
		104	--
		105	2.6.4
		106


diff --git a/recipes-security/nikto/nikto_2.1.5.bb b/recipes-security/nikto/nikto_2.1.5.bb index 8080d4a..19eb14f 100644 --- a/recipes-security/nikto/nikto_2.1.5.bb +++ b/recipes-security/nikto/nikto_2.1.5.bb
@@ -7,7 +7,8 @@ LICENSE = "GPLv2"
7	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"	7	LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
8		8
9	SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \	9	SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \
10	file://location.patch"	10	file://location.patch \
		11	file://CVE-2018-11652.patch"
11		12
12	SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e"	13	SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e"
13	SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f"	14	SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f"