if(description) { script_id(9999001); script_version("$Revision$"); script_tag(name:"risk_factor", value:"None"); script_name("UniBwM 1: Plaintext passwords"); desc =" Overview : This script tests against plaintext passwords for subversion. Risk factor : None"; script_description(desc); script_summary("Plaintext passwords"); script_category(ACT_GATHER_INFO); script_copyright("Copyright (C) 2010 Stefan Schwarz"); script_family("General"); script_dependencies("ssh_authorization.nasl","gather-package-list.nasl"); script_add_preference(name:"Launch UniBwM-scripts", type:"checkbox", value:"yes"); exit(0); } launch = script_get_preference("Launch UniBwM-scripts"); if(launch == "no") exit(0); include("ssh_func.inc"); #Connection via ssh sock = ssh_login_or_reuse_connection(); if(!sock) { security_note(data:"No SSH connection is available -> Trying local connection"); #For local tests, the account data must be available in the source code! account = "myaccount"; password = "mypassword"; sock = open_sock_tcp(22); if(!sock) { log_message(data:"No local connection possible: Abort!"); exit(0); } ssh_login(socket:sock, login:account, password:password); log_message(data:"Local ssh connection successful"); } # Test whether Subversion is installed svn_version = ssh_cmd(socket:sock, cmd:"svn --version"); if(egrep(pattern:"Version", string:svn_version)) { # Subversion is installed # Information output as security note security_note(data:"Subversion is installed: " + svn_version); # Evaluation of config files svn_config1 = ssh_cmd(socket:sock, cmd:"fgrep 'store-passwords = no' /etc/subversion/config"); svn_config2 = ssh_cmd(socket:sock, cmd:"fgrep 'store-plaintext-passwords = no' /etc/subversion/servers"); if(egrep(pattern:"# ", string:svn_config1)) { # Value is commented out, output security warning security_warning(data:"store-passwords = no should be commented out in /etc/subversion/config!"); } if(egrep(pattern:"# ", string:svn_config2)) { # Value is commented out, output security hole security_hole(data:"store-plaintext-passwords = should not be commented out in /etc/subversion/servers!"); } } ssh_close_connection(); exit(0);