On Mon, Mar 03, 2003 at 01:26:31PM -0800, Steven Procter wrote: > The following regular expression: > > .*Sendmail.*(Switch\-((1\.)|(2\.(0\.|1\.[0-4])))|(\/|UCB | )([5-7]|8\.([0-9](\.|;|$)|1[01]\.|12\.[0-7](\/| |\.|\+)))).* > > Matches the following string (which I constructed from a sendmail > server's output but believe should not be considered vulnerable): > > ns.somehost.com ESMTP Sendmail 8.12.8/SuSE Linux 0.6; Mon, 3 Mar 2003 5:17:17 -0800 > > Because it thinks that the 5 in 5:45:18 is the version of the > sendmail. That is the ".*" after Sendmail consumes everything through > "2003" and then the " 5" is matched by "(\/|UCB | )([5-7]...". > > In other words, the regular expression will generate false positives > for this server between 5 and 7 in the morning. > > Following is a little nasl script which exhibits the problem. Try > changing the time from 5 to 8... > > --Steven > > --- cut here --- > > re = ".*Sendmail.*(Switch\-((1\.)|(2\.(0\.|1\.[0-4])))|(\/|UCB | )([5-7]|8\.([0-9](\.|;|$)|1[01]\.|12\.[0-7](\/| |\.|\+)))).*"; > Fixed. The re is missing a \. after [5-7] -- Renaud, grokking the regexp
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 13:31:04 PST