-
Notifications
You must be signed in to change notification settings - Fork 186
/
SoftwareVersions.java
127 lines (104 loc) · 4.81 KB
/
SoftwareVersions.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package burp;
import burp.j2ee.Confidence;
import burp.j2ee.CustomScanIssue;
import burp.j2ee.Risk;
import java.util.Arrays;
import java.util.List;
/**
* Knowledge Base to push vulnerabilities based on the remote version detected
*
*
*/
public class SoftwareVersions {
public static void getIssues(
String software,
String release,
IBurpExtenderCallbacks callbacks,
IHttpRequestResponse baseRequestResponse) {
IExtensionHelpers helpers = callbacks.getHelpers();
IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse);
/**
* Apache Tomcat
*/
if (software.equalsIgnoreCase("Apache Tomcat")) {
/**
* End of Life - Apache Tomcat
* Apache Tomcat 5.x
* - http://tomcat.apache.org/tomcat-55-eol.html
* Apache Tomcat 6.x
* - http://tomcat.apache.org/tomcat-60-eol.html
* Apache Tomcat 7.x
* - http://tomcat.apache.org/tomcat-70-eol.html
* Apache Tomcat 8.0
* - http://tomcat.apache.org/tomcat-80-eol.html
* .
*/
List<Integer> vulnerableTomcatReleases;
vulnerableTomcatReleases = Arrays.asList(4, 5, 6, 8);
// TODO replace with regexp
if ( vulnerableTomcatReleases.contains(Integer.parseInt(release.substring(0, 1))) && !release.startsWith("8.5") ) {
callbacks.addScanIssue(new CustomScanIssue(
baseRequestResponse.getHttpService(),
requestInfo.getUrl(),
baseRequestResponse,
"End of Life Software - Apache Tomcat " + release,
"J2EEScan identified an unsupported release of Apache Tomcat <b>" + release + "</b>.<br />"
+ "No more security updates for this version will be released by Apache <br /><br />"
+ "<b>References</b><br />"
+ "http://tomcat.apache.org/tomcat-55-eol.html<br />"
+ "https://tomcat.apache.org/tomcat-60-eol.html<br />"
+ "https://tomcat.apache.org/tomcat-80-eol.html",
"Update the Apache Servlet Container with the last stable release",
Risk.High,
Confidence.Certain
));
}
}
/**
* Jetty
*/
if (software.equalsIgnoreCase("Jetty")) {
/**
* End of Life - Jetty
*/
if ( Integer.parseInt(release.substring(0, 1)) < 9 ) {
callbacks.addScanIssue(new CustomScanIssue(
baseRequestResponse.getHttpService(),
requestInfo.getUrl(),
baseRequestResponse,
"End of Life Software - Jetty " + release,
"J2EEScan identified an unsupported release of Jetty <b>" + release + "</b>.<br />"
+ "No more security updates for this version will be released by the vendor <br /><br />"
+ "<b>References</b><br />"
+ "https://wiki.eclipse.org/Jetty/Starting/Jetty_Version_Comparison_Table<br />",
"Update the Jetty Container with the last stable release",
Risk.High,
Confidence.Certain
));
}
}
/**
* Oracle Application Server
*/
if (software.equalsIgnoreCase("Oracle Application Server")) {
/**
* End of Life - Oracle Application Server
*/
if (release.startsWith("9.") || release.startsWith("10.1.2")) {
callbacks.addScanIssue(new CustomScanIssue(
baseRequestResponse.getHttpService(),
requestInfo.getUrl(),
baseRequestResponse,
"End of Life Software - Oracle Application Server " + release,
"J2EEScan identified an unsupported release of Oracle Application Server <b>" + release + "</b>.<br />"
+ "No more security updates for this version will be released by the vendor <br /><br />"
+ "<b>References</b><br />"
+ "http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf<br />",
"Update the Oracle Application Server with the last stable release",
Risk.High,
Confidence.Tentative
));
}
}
}
}