Hi,
I plan on doing these changes, so if anyone thinks they're a bad idea
then let me know before I start!
11856 - change regex so it only matches the 4.x series (not 3.6 etc.)
The original @stake advisory says this, although the information is lost
in the CERT advisory.
11411 - make it not trigger if all the backup extensions appear to exist
for one file. This stops some false positives (where a weird URL has got
into the CGI list) and is unlikely to cause false negatives.
10492 - change path matching regex from "[a-z]\..*" to "[a-z]\.\\.*"
11852 - stop it triggering when exactly these four tests trigger:
RCPT TO: <"nobody@private">
RCPT TO: <"nobody@private">
RCPT TO: <"nobody%example.com">
RCPT TO: <example.com!nobody>
This is because some mailer's (e.g. Microsoft SMTP) think these are
local addresses and accept them for local delivery. I doubt this will
cause any false negatives.
XSS plugins - there is already a mechanism for making the other XSS
plugins not trigger when 10815 does, but it is little used. I propose
modifying all xss plugins to use this kb, and providing an option to
plugin 10815 to control this behaviour.
Also, the directory traversal plugins are all susceptible to false
positives, especially against no404 servers. Does anyone have any
thoughts about what to do about this. The current match strings seem a
bit too simplistic. In fact I think all the traversal stuff is quite
prone to false negatives as well.
Thanks for any feedback,
Paul
--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@private
web: www.westpoint.ltd.uk
This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 05:59:56 PDT