> TH> patch. For instance, eEye's tool reports my patched RH7.2 > server as > TH> "vulnerable", because it only checks the server string, > it doesn't > TH> try to exploit the vulnerability. > > That's interesting.. If you sniff the tool, you'll see it > does a HEAD, and then posts to x.html with a chunk > encoding.. It seems to be doing more than just reading the > version on the banner. (This is as of 2 hours ago, maybe they > updated their tool). > > It appears to actually exploit it for the testing. I didn't > trace the tool it self, only from what the packet capture says. The original version only checked the server version, whereas an updated version now available does the HEAD and really tests for the hole. I saw this post on the Infosec news mailing list: "Forwarded from: Marc Maiffret <marcat_private> Cc: Jonas M Luster <jlusterat_private> thanks for your email. the first version was released quickly so people could have something to start with. the current version of the tool does perform an attack to determine if its vulnerable. were always improving over time but things start somewhere. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security" The new version (1.0.2) of the tool now reports even older, patched Apaches correctly as "not vulnerable", including my server. -- Toni Heinonen, Teleware Oy Wireless +358 (40) 836 1815 Telephone +358 (9) 3434 9123 toni.heinonenat_private www.teleware.fi
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 15:40:13 PDT