[Plugins-writers] compaqdiag and false positives

• Previous message: Jon Passki: "[Plugins-writers] Exchange 5.5 SP4 Version information"
• Next in thread: Michel Arboi: "Re: [Plugins-writers] compaqdiag and false positives"
• Reply: Michel Arboi: "Re: [Plugins-writers] compaqdiag and false positives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello All,

The plugins below [1] all reported positive for the Compaq Diag.
service.   There were some other ones for the HTTPS version, too,
but these were easier to grep.  The plugin 10386 (No404) did test
correctly.  The problem seems to be that the script returns the URL
like this:

<head><META HTTP-EQUIV="refresh"
CONTENT="0;URL=https://192.168.118.33:2381/_vti_pvt%5caccess.cnf"></head><H2>Unable
to complete your request due to added security features</H2>

So, this will test positive for any plugin that does somethig
similar:

if ( res == NULL ) exit(0);
 if ( "<script>foo</script>" >< res )
	{	
	 security_warning(port);
	 exit(0);
	}
}


Here's an option: Create a check that requests a bogus string and
checks the response for that string.  If it's a Compaq HTTP server,
unregister the web service from the kb so the other basic CGI
scripts don't fire.  Register it as a compaqdiag service (if it's
not done already) and have the compaqdiag-specific plugins check it
against known Compaq HTTP issues.  The flaw is that this can
increase False Negatives.  I amm sure there probably are more flaws
with this approach, but it seems better that the alternative (100+
false positives is a pain to research).  I'll look into doing this
time permitting.

Jon

[1] False Positive Plugins:
10008
10010
10011
10034
10035
10040
10041
10060
10064
10071
10077
10078
10095
10098
10099
10122
10131
10142
10164
10165
10173
10181
10187
10188
10252
10253
10277
10291
10295
10296
10298
10299
10300
10301
10302
10317
10321
10340
10357
10358
10359
10365
10368
10376
10480
10564
10575
10577
10591
10592
10597
10629
10641
10649
10699
10718
10783
10815
10838
10922
10937
10957
11066
11070
11072
11079
11083
11095
11107
11118
11142
11165
11190
11278
11395
11417
11441
11446
11449
11451
11461
11464
11465
11479
11520
11608
11610
11646
11694
11719
11721
11722
11723
11725
11726
11728
11731
11732
11747
11760
11764
11766
11771
11776
11810
11939
11960
12045
12057
12058
12101
12299
12301
14185
14186
14318
14352
14357
14368
14369
14614
14665
14681
14685
14833
15480
15485
15564
15707
15710
15717
15850
15864
15908
15951
15967
16022
16069
 


		
__________________________________ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Previous message: Jon Passki: "[Plugins-writers] Exchange 5.5 SP4 Version information"
• Next in thread: Michel Arboi: "Re: [Plugins-writers] compaqdiag and false positives"
• Reply: Michel Arboi: "Re: [Plugins-writers] compaqdiag and false positives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Feb 17 2005 - 08:57:07 PST