[Plugins-writers] False negatives due to localization in IIS plugins

Previous message: Nicolas Gregoire: "[Plugins-writers] False positives in some Domino plugins"
Next in thread: Nicolas Gregoire: "Re: [Plugins-writers] False negatives due to localization in IIS plugins"
Reply: Nicolas Gregoire: "Re: [Plugins-writers] False negatives due to localization in IIS plugins"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

ngregoire@private

Hello,

while writing a new plugin for an IIS ISAPI bug, I saw that the body of
the error message generated by my webserver is localized ("échec de
l'appel de procèdure distante"). So, I used the HTTP code and the HTML
title to match vulnerable versions :

 if("HTTP/1.1 500 Server Error" >< r &&
    "<html><head><title>Error</title>" >< r) security_hole(port);

There're 3 IIS plugins who use the harcoded string "The remote procedure
call failed", and which could generate false-negatives on non-English
IIS servers :

frontpage_overflow.nasl (line 97)
nsiislog_dll.nasl (line 102)
perlIS_dll_bufferoverflow.nasl (line 67)

I'm not sure that using "error code + title" would be 100% successful,
but it works on my test box.

Regards,
-- 
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@private ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers