Re: Proposed plugin changes

From: Renaud Deraison (deraison@private)
Date: Thu Oct 23 2003 - 06:07:06 PDT

  • Next message: sullo@private: "update for 11213 (xst_http_trace.nasl)"

    On Thu, Oct 23, 2003 at 01:59:11PM +0100, Paul Johnston wrote:
    > 11856 - change regex so it only matches the 4.x series (not 3.6 etc.)
    > The original @stake advisory says this, although the information is lost
    > in the CERT advisory.
    > 11411 - make it not trigger if all the backup extensions appear to exist
    > for one file. This stops some false positives (where a weird URL has got
    > into the CGI list) and is unlikely to cause false negatives.
    > 10492 - change path matching regex from "[a-z]\..*" to "[a-z]\.\\.*"
    > 11852 - stop it triggering when exactly these four tests trigger:
    >        RCPT TO: <"nobody@private">
    >        RCPT TO: <"nobody@private">
    >        RCPT TO: <"">
    >        RCPT TO: <!nobody>
    > This is because some mailer's (e.g. Microsoft SMTP) think these are
    > local addresses and accept them for local delivery. I doubt this will
    > cause any false negatives.
    I also noticed that - yes, please do.
    > XSS plugins - there is already a mechanism for making the other XSS
    > plugins not trigger when 10815 does, but it is little used. I propose
    > modifying all xss plugins to use this kb, and providing an option to
    > plugin 10815 to control this behaviour.
    > Also, the directory traversal plugins are all susceptible to false
    > positives, especially against no404 servers. Does anyone have any
    > thoughts about what to do about this. The current match strings seem a
    > bit too simplistic. In fact I think all the traversal stuff is quite
    > prone to false negatives as well.
    A trivial thing is to exit if this is a no404 server. This is prone to
    false negatives though.
    				-- Renaud

    This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 06:09:30 PDT