NASLDB: Tornado < 2.2.1 HTTP Response Splitting
General
ID: 59356
Name: Tornado < 2.2.1 HTTP Response Splitting
Summary: Checks version in Server response header
Credits: Tenable Network Security, Inc.
Classification
Risk: –
CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C
Port: 80
Family: Web Servers
Type: Remote
Description
According to its banner, the version of Tornado installed on the
remote host is older than 2.2.1. As such, it may be affected by an
HTTP response splitting vulnerability that may allow an
unauthenticated, remote attacker to forge responses from a trusted
server.
Exploiting
Exploit Available: True
Exploitability Ease: Exploits are available
Sources
CVE: CVE-2012-2374
OSVDB: –
Bugtraq: –
scipID: –
Timeline
Vulnerability Disclosure: 2012/05/18
Patch Release: 2012/04/23
Plugin Release: 2012/06/04
Plugin
Version: 1.3
Filename: tornado_2_2_1.nasl
Filesize: 3669 bytes
MD5 Hash: ab14511f53c42633de8c1b7af0e2b0f1
Identification: –
Require Keys: www/tornado", "Settings/ParanoidReport
Dependencies: "http_version.nasl"
Copyright: This script is Copyright© 2012 Tenable Network Security, Inc.
- Letzte Plugins
- USN-1611-1 : thunderbird vulnerabilities
- USN-1610-1 : linux vulnerability
- USN-1609-1 : linux-ti-omap4 vulnerability
- SuSE 10 Security Update : PostgreSQL
- RHSA-2012-1364: bind97
- RHSA-2012-1363: bind
- RHSA-2012-1362: thunderbird
- RHSA-2012-1361: xulrunner
- Mandriva Linux Security Advisory : graphicsmagick
- FreeBSD : phpMyAdmin — Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack