RE: [ISN] Free tool: apache chunked vulnerability scanner

From: InfoSec News (isnat_private)
Date: Tue Jun 25 2002 - 04:47:57 PDT

  • Next message: InfoSec News: "[ISN] Is VoIP vulnerable?"

    Forwarded from: Marc Maiffret <marcat_private>
    Cc: Jonas M Luster <jlusterat_private>
    thanks for your email.
    the first version was released quickly so people could have something to
    start with. the current version of the tool does perform an attack to
    determine if its vulnerable. were always improving over time but things
    start somewhere.
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    F.949.349.9538 - Network Security Scanner - Network Traffic Analyzer - Stop known and unknown IIS vulnerabilities
    | -----Original Message-----
    | From: Jonas M Luster [mailto:jlusterat_private]
    | Sent: Monday, June 24, 2002 1:48 PM
    | To: InfoSec News
    | Cc: marcat_private
    | Subject: Re: [ISN] Free tool: apache chunked vulnerability scanner
    | Quoting InfoSec News (isnat_private):
    | > Forwarded from: "Marc Maiffret" <marcat_private>
    | > Cc: "Greg Broiles" <gbroilesat_private>
    | >
    | > yes the tool is non intrusive. thanks for pointing that out. well
    | > update the site.
    | That's another way to put it. But why call it a 'vulnerability
    | scanner' in the first place if it's only a version checker? Apache
    | Users with ServerTokens set to Prod or OS won't be reported
    | vulnerable, while my servers, running a originally vulnerable but
    | patched Apache are reported to be.
    | This kind of advertising is pretty deceptive. In fact there's only one
    | way to scan for that vulnerability - and that's by exploiting it.
    | Every twelve-year-old with a broomstick and libwhisker can write a
    | version checker in minutes, if not less, so why not call it what it is
    | - a sophisticated way to verify Apache signatures?
    | But, non-intrusive sounds cool, I give you that.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 09:04:30 PDT