On Thu, Oct 23, 2003 at 01:59:11PM +0100, Paul Johnston wrote: > 11856 - change regex so it only matches the 4.x series (not 3.6 etc.) > The original @stake advisory says this, although the information is lost > in the CERT advisory. Ok. > 11411 - make it not trigger if all the backup extensions appear to exist > for one file. This stops some false positives (where a weird URL has got > into the CGI list) and is unlikely to cause false negatives. Ok. > 10492 - change path matching regex from "[a-z]\..*" to "[a-z]\.\\.*" Ok. > 11852 - stop it triggering when exactly these four tests trigger: > RCPT TO: <"nobody@private"> > RCPT TO: <"nobody@private"> > RCPT TO: <"nobody%example.com"> > RCPT TO: <example.com!nobody> > This is because some mailer's (e.g. Microsoft SMTP) think these are > local addresses and accept them for local delivery. I doubt this will > cause any false negatives. I also noticed that - yes, please do. > XSS plugins - there is already a mechanism for making the other XSS > plugins not trigger when 10815 does, but it is little used. I propose > modifying all xss plugins to use this kb, and providing an option to > plugin 10815 to control this behaviour. Ok. > Also, the directory traversal plugins are all susceptible to false > positives, especially against no404 servers. Does anyone have any > thoughts about what to do about this. The current match strings seem a > bit too simplistic. In fact I think all the traversal stuff is quite > prone to false negatives as well. A trivial thing is to exit if this is a no404 server. This is prone to false negatives though. -- Renaud
This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 06:09:30 PDT