On Tue, Jun 25, 2002 at 04:32:15PM -0400, Thomas Reinke wrote:
> I'd like to propose for consideration that when safe_checks is
> disabled (ie. the go for the throat real test), that the nasl
> script STILL report the safe_check results _independently_,
> labelling it as such.
No, that would make no sense. Imagine the following reports :
"You are running version x.y.z of SomeProduct. Versions < x.y.z+2 are
vulnerable to a remote overflow.
The testing of the overflow failed"
And :
"It was possible to make the remote SomeProduct crash. Upgrade to
version x.y.z-2" (whereas you're running version x.y.z already).
Safe checks and "regular checks" are two different testing
methodologies. Combining them will just add noise and confusion.
> Case in point: the recent Apache chunked encoding vulnerability.
> We all know that versions < 1.3.26 are vulnerable, yet it has
> been reported on this list that some versions are not being
> flagged as vulnerable.
That's true. Some plugins will fail. In this case, Apache-on-Solaris
refuses to die (investigation is being done). But in other cases, a bad
regexp may not catch a vulnerable version to some product. These are
called bugs, they happen and they usually get fixed.
-- Renaud
