I consider these two separate vulnerabilities. The reason is that blank passwords are normally the result of a default configuration or insecure application install (many apps bundle a wide-open MSDE service), where a common or weak account password is a admin/developer training issue. Maybe move the login routines into a mssql_funcs.inc and have each plugin include it? Combining them into one plugin would work, provided the report differentiates between blank and weak passwords. On Wednesday 25 February 2004 18:14, Dennis Jackson wrote: > Should the two scripts mssql_blank_password.nasl and > mssql_brute_force.nasl be merged into one? > > The first script simply tests for the combination of > username "sa" password "". While the second scripts tests > for eleven different combinations of username and > password. It would be trivial to add "sa" / "" into the > list in mssql_brute_force.nasl > > As a further change, some of the description in > mssql_blank_password.nasl should be added into the report > produced by mssql_brute_force.nasl > > > Dennis. > > > _______________________________________________ > Plugins-writers mailing list > Plugins-writers@private > http://mail.nessus.org/mailman/listinfo/plugins-writers _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2b30 : Wed Feb 25 2004 - 17:43:49 PST