Merge branch 'CERT-Polska:main' into main

.github/workflows/docker_nightly.yml

@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+  schedule:
+   - cron: "30 9 * * *"
 
 jobs:
   main:

artemis/config.py

@@ -328,6 +328,7 @@ class Nuclei:
                         # We have a separate module for that, checking whethet the repository is a copy of a public one
                         "http/exposures/configs/exposed-svn.yaml",
                         "http/exposures/configs/git-config.yaml",
+                        "http/exposures/files/svn-wc-db.yaml",
                         # We have a separate module checking for a larger number of directory indexes.
                         "http/exposures/configs/configuration-listing.yaml",
                         "http/misconfiguration/sound4-directory-listing.yaml",
@@ -419,8 +420,57 @@ class Nuclei:
                         "custom:CVE-2019-1579",
                         "custom:xss-inside-tag-top-params.yaml",
                         # Nothing particularily interesting
+                        "http/exposures/apis/drupal-jsonapi-user-listing.yaml",
                         "http/miscellaneous/joomla-manifest-file.yaml",
                         "http/exposures/configs/karma-config-js.yaml",
+                        "http/cves/2000/CVE-2000-0114.yaml",
+                        # From the message: "there is no common path to exploit that has a user impact."
+                        "http/cves/2021/CVE-2021-20323.yaml",
+                        # This is Open Redirect in Host header, not exploitable in standard conditions. Besides, this is disputed by vendor.
+                        "http/cves/2023/CVE-2023-24044.yaml",
+                        # Open Redirect in Referer, X-Forwarded-Host or another header making it hard to exploit
+                        "http/vulnerabilities/wordpress/music-store-open-redirect.yaml",
+                        "http/cves/2021/CVE-2021-44528.yaml",
+                        # Minor information leaks
+                        "http/cves/2020/CVE-2020-14179.yaml",
+                        "http/cves/2021/CVE-2021-3293.yaml",
+                        "http/cves/2024/CVE-2024-1208.yaml",
+                        "http/cves/2024/CVE-2024-1210.yaml",
+                        "http/cves/2024/CVE-2024-3097.yaml",
+                        # Over 50 requests
+                        "http/cves/2017/CVE-2017-17562.yaml",
+                        "http/cves/2019/CVE-2019-17382.yaml",
+                        "http/cves/2022/CVE-2022-2034.yaml",
+                        "http/cves/2023/CVE-2023-24489.yaml",
+                        "http/default-logins/apache/tomcat-default-login.yaml",
+                        "http/default-logins/oracle/peoplesoft-default-login.yaml",
+                        "http/exposed-panels/adminer-panel-detect.yaml",
+                        "http/exposures/apis/swagger-api.yaml",
+                        "http/exposures/backups/php-backup-files.yaml",
+                        "http/exposures/backups/zip-backup-files.yaml",
+                        "http/exposures/files/generic-db.yaml",
+                        "http/fuzzing/cache-poisoning-fuzz.yaml",
+                        "http/fuzzing/header-command-injection.yaml",
+                        "http/fuzzing/mdb-database-file.yaml",
+                        "http/fuzzing/prestashop-module-fuzz.yaml",
+                        "http/fuzzing/waf-fuzz.yaml",
+                        "http/fuzzing/wordpress-plugins-detect.yaml",
+                        "http/fuzzing/wordpress-themes-detect.yaml",
+                        "http/fuzzing/wordpress-weak-credentials.yaml",
+                        "http/miscellaneous/defacement-detect.yaml",
+                        "http/misconfiguration/aem/aem-default-get-servlet.yaml",
+                        "http/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml",
+                        "http/misconfiguration/gitlab/gitlab-api-user-enum.yaml",
+                        "http/misconfiguration/gitlab/gitlab-user-enum.yaml",
+                        "http/misconfiguration/servicenow-widget-misconfig.yaml",
+                        "http/technologies/graphql-detect.yaml",
+                        "http/technologies/graylog/graylog-api-exposure.yaml",
+                        "http/vulnerabilities/apache/shiro/shiro-deserialization-detection.yaml",
+                        "http/vulnerabilities/generic/open-redirect-generic.yaml",
+                        "http/vulnerabilities/grafana/grafana-file-read.yaml",
+                        "http/vulnerabilities/tongda/tongda-auth-bypass.yaml",
+                        "http/vulnerabilities/wordpress/wp-xmlrpc-brute-force.yaml",
+                        "javascript/default-logins/ssh-default-logins.yaml",
                     ]
                 ),
                 cast=decouple.Csv(str),

artemis/modules/nuclei.py

@@ -128,6 +128,7 @@ def _scan(self, templates: List[str], targets: List[str]) -> List[Dict[str, Any]
 
         lines = []
         for template_chunk in more_itertools.chunked(templates, Config.Modules.Nuclei.NUCLEI_TEMPLATE_CHUNK_SIZE):
+            self.log.info("Running batch of %d templates on %d target(s)", len(template_chunk), len(targets))
             command = [
                 "nuclei",
                 "-disable-update-check",

artemis/modules/wordpress_plugins.py

@@ -47,7 +47,6 @@
 ]
 PLUGINS_BAD_VERSION_IN_README = [
     "athemes-starter-sites",
-    "backup",
     "blocks-animation",
     "button-contact-vr",
     "cf7-to-zapier",
@@ -57,17 +56,19 @@
     "delete-all-comments-of-website",
     "disable-remove-google-fonts",
     "famethemes-demo-importer",
+    "hostinger",
     "icon-element",
     "link-manager",
-    "mask-form-elementor",
     "official-facebook-pixel",
     "page-or-post-clone",
     "printfriendly",
     "rafflepress",
     "robin-image-optimizer",
     "skyboot-custom-icons-for-elementor",
     "subscribe-to-comments",
+    "the-events-calendar-shortcode",
     "website-monetization-by-magenet",
+    "woocommerce",
     "wp-maximum-execution-time-exceeded",
 ]
 

artemis/reporting/base/report.py

@@ -6,6 +6,7 @@
 from typing import Any, Dict, List, Optional
 
 from artemis.domains import is_domain
+from artemis.reporting.severity import Severity
 from artemis.resolvers import ResolutionException, lookup
 from artemis.utils import get_host_from_url, is_ip_address
 
@@ -57,6 +58,9 @@ class Report:
     original_task_result_root_uid: Optional[str] = None
     original_task_target_string: Optional[str] = None
 
+    # The severity (added during report post-processing)
+    severity: Optional[Severity] = None
+
     def __post_init__(self) -> None:
         # Sanity check - at this moment, only URLs and domains are supported
         assert self.target_is_url() or self.target_is_domain()

artemis/reporting/export/db.py

@@ -11,6 +11,7 @@
 from artemis.reporting.base.language import Language
 from artemis.reporting.base.report import Report
 from artemis.reporting.base.reporters import reports_from_task_result
+from artemis.reporting.severity import get_severity
 from artemis.reporting.utils import get_top_level_target
 from artemis.task_utils import get_target_host
 
@@ -78,6 +79,7 @@ def _initialize_data_if_needed(self) -> None:
                 report_to_add.original_task_result_id = result["id"]
                 report_to_add.original_task_result_root_uid = result["analysis_id"]
                 report_to_add.original_task_target_string = result["target_string"]
+                report_to_add.severity = get_severity(report_to_add)
                 report_to_add.last_domain = result["task"]["payload"].get("last_domain", None)
 
             self._reports.extend(blocklist_reports(reports_to_add, self._blocklist))

artemis/reporting/modules/nuclei/reporter.py

@@ -156,7 +156,8 @@ def _is_url_without_query_fragment(url: str) -> bool:
                             "description_translated": NucleiReporter._translate_description(
                                 template, description, language
                             ),
-                            "reference": vulnerability["info"]["reference"],
+                            "reference": vulnerability["info"].get("reference", []),
+                            "severity": vulnerability["info"]["severity"],
                             "matched_at": matched_at,
                             "template_name": template,
                             "original_template_name": original_template_name,

artemis/reporting/modules/nuclei/template_nuclei_exposed_panel.jinja2

@@ -8,7 +8,7 @@
                     <li>
                         {{ report.target }}: {{ report.additional_data.description_translated }}
                         {{ report_meta(report) }}
-                        {% if 'phpmyadmin' in report.target.lower() or 'phpppgadmin' in report.target.lower() %}
+                        {% if "phpmyadmin" in report.target.lower() or "phpppgadmin" in report.target.lower() %}
                             {% set contains_db_admin.data = 1 %}
                         {% endif %}
                     </li>

artemis/reporting/modules/nuclei/template_nuclei_vulnerability.jinja2

@@ -36,25 +36,26 @@
                         </li>
                     {% endfor %}
                 </ul>
-                {% if reports.0.additional_data.reference %}
-                    {% trans %}More information is available on:{% endtrans %}
-                    <ul>
-                        {% for reference in reports.0.additional_data.reference %}
-                            <li><a href="{{ reference }}">{{ reference }}</a></li>
-                        {% endfor %}
-                    </ul>
-                {% endif %}
-                {% trans trimmed %}
-                    Please contact us if more information is needed - e.g. an address
-                    or command that proves that the vulnerability exists.
-                {% endtrans %}
                 {% if any_link_printed.data %}
                     <p>
                         {% trans trimmed %}
                             The above links are automatically generated - contact us if they aren't sufficient for
                             you to reproduce the vulnerability.
                         {% endtrans %}
                     </p>
+                {% else %}
+                    {% trans trimmed %}
+                        Please contact us if more information is needed - e.g. an address
+                        or command that proves that the vulnerability exists.
+                    {% endtrans %}
+                {% endif %}
+                {% if reports.0.additional_data.reference %}
+                    {% trans %}More information is available on:{% endtrans %}
+                    <ul>
+                        {% for reference in reports.0.additional_data.reference %}
+                            <li><a href="{{ reference }}">{{ reference }}</a></li>
+                        {% endfor %}
+                    </ul>
                 {% endif %}
              </li>
          {% endif %}

artemis/reporting/modules/nuclei/translations/en_US/LC_MESSAGES/messages.po

@@ -35,8 +35,10 @@ msgstr ""
 msgid " under "
 msgstr ""
 
-#: artemis/reporting/modules/nuclei/template_nuclei_vulnerability.jinja2:40
-msgid "More information is available on:"
+#: artemis/reporting/modules/nuclei/template_nuclei_vulnerability.jinja2:41
+msgid ""
+"The above links are automatically generated - contact us if they aren't "
+"sufficient for you to reproduce the vulnerability."
 msgstr ""
 
 #: artemis/reporting/modules/nuclei/template_nuclei_vulnerability.jinja2:47
@@ -46,7 +48,5 @@ msgid ""
 msgstr ""
 
 #: artemis/reporting/modules/nuclei/template_nuclei_vulnerability.jinja2:53
-msgid ""
-"The above links are automatically generated - contact us if they aren't "
-"sufficient for you to reproduce the vulnerability."
+msgid "More information is available on:"
 msgstr ""