Bug 995634 (CVE-2013-4885)

Summary: CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: athmanem, bpowers, bressers, dmoppert, ebenes, huzaifas, jeff.blosser, jkurik, jrusnack, magoldma, mhlavink, psabata
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nmap 6.40 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-26 20:02:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 997739, 997775    
Bug Blocks: 995636    
Attachments:
Description Flags
nmap r31576 patch none

Description Vincent Danen 2013-08-09 22:46:35 UTC 
A flaw in the http-domino-enum-password NSE script for Nmap was discovered [1].  If this script was run with the non-default domino-enum-passwords.idpath parameter against a malicious server, it could cause an arbitrarily named file to be written to the client system with the permissions of the user running the nmap client.

This was corrected in upstream version 6.40 [2] (svn r31576).  This svn revision also updates a few other NSE scripts for extra safety.


[1] http://packetstormsecurity.com/files/122719/TWSL2013-025.txt
[2] http://nmap.org/changelog.html
Comment 1 Vincent Danen 2013-08-09 22:48:06 UTC 
Created attachment 785030 [details]
nmap r31576 patch

The svn patch that corrects this flaw and hardens a few other NSE scripts.
Comment 2 Vincent Danen 2013-08-09 22:52:28 UTC 
This did not affect the version of nmap in Red Hat Enterprise Linux 5 as it did not have support for NSE scripts.
Comment 3 Huzaifa S. Sidhpurwala 2013-08-16 05:54:41 UTC 
Created nmap tracking bugs for this issue:

Affects: fedora-all [bug 997739]
Comment 5 Huzaifa S. Sidhpurwala 2013-08-16 08:09:08 UTC 
Statement:

This did not affect the version of nmap as shipped with Red Hat Enterprise Linux 5, as it did not have support for NSE scripts. This issue affects the version of nmap as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Comment 7 Fedora Update System 2013-08-27 23:27:44 UTC 
nmap-6.40-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Josh Bressers 2015-01-26 20:01:24 UTC 
I'm willy to say we should wontfix this. If the customer has a reason to see this fixed, please let us know.
Comment 13 Jeff 2015-06-24 17:06:07 UTC 
If you are using Qualsys to scan your systems running RedHat 6.x then Qualsys reports the systems are at risk with a severity rating of a 3. Can RH discuss a release/update?
Comment 16 Red Hat Bugzilla 2023-09-14 23:57:14 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days