Simple buglet: When it looks for the exploit, it checks to see if the return page is:
"HTTP/1.1 401 Access Denied" It should check for "HTTP/1.1 401" instead. e.g. Samba's SWAT program returns "HTTP/1.1 401 Access Denied" - and nessus treats that as identical to "HTTP/1.1 200" - which really isn't the case :-) In fact, I'd argue that any 400-series HTTP error code would be definitive that this exploit isn't present... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
