I am also running Nessus against Apache/1.3.19 under Solaris and not getting a hit with the apache_chunked_encoding.nasl. nessusd.messages references that it ran against the box, no problems. I am thinking of turning on "safe checks" and running another scan of the server just to see if the banner check gets a hit.
I had a friend take a run at it with ISS and that same box came up vulnerable to it. Not sure if ISS only checks banners tho... Has anyone else made any progress with the idea that not all versions are actually vulnerable? Just wondering if anyone else (far smarter than I!) has figured out what is up with apache_chunked_encoding.nasl and Apache/1.3.19 under Solaris. :) Cheers! Mike Kelley [EMAIL PROTECTED] >> >> However, this may also be the case. We've found several versions of >> apache which we know are vulnerable (and have vulnerable >> version numbers >> that are caught by the safe check), but are failing the more extensive >> test. So far, we've seen some hosts apache 1.3.19, 1.3.12, and 1.3.16 >> (all running solaris, but I'm not sure it's tied to the OS) fail the >> in-depth test. > >Interesting. One of the tests I gathered from one of the security lists >(although I've lost the original post) is to telnet to an affected webserver >and enter this text: > > POST /x.html HTTP/1.1 > Host: 192.168.1.1 > Transfer-Encoding: chunked > > 80000000 > Rapid 7 > 0 > >Against: >"Server: Apache/1.3.24 (Unix)" on Solaris 8 >both the safe and unsafe checks return a hole. Using the manual test, the >server drops the connection after the "80000000" line. > >Against: >"Server: Apache/1.3.1 (Unix)" on Solaris 2.6 >"Server: Apache/1.2.4" on Solaris 2.6 >the safe check returns a hole, while the unsafe says it's OK. In the manual >test, after I hit the second carriage return after the "Transfer-Encoding: >chunked" line, the server responds with "HTTP/1.1 100 Continue" and an extra >carriage return. Then when I enter "80000000" the server returns "HTTP/1.1 >400 Bad Request" > >Against: >"Server: Apache/1.3.19 (Unix)" on Solaris 2.6 >"Server: Apache/1.3.19 (Unix)" on HP-UX 11.00 >"Server: Apache/1.3.3 (Unix)" on Solaris 2.6 >"Server: Apache/1.3.9 (Unix)" on Solaris 2.6 >"Server: Apache/1.3.6 (Unix)" on Solaris 2.6 >"Server: Apache/1.3.12 (Unix)" on Solaris 7 >I also get the "HTTP/1.1 400 Bad Request" after the "80000000" line, but >there is no "HTTP/1.1 100 Continue" in between. > >Against: >"Server: Apache/1.3.12 (Unix)" on SuSE Linux 7.0 (s390) - Kernel 2.2.16 >My manual test disconnects like a vulnerable system, but the unsafe check >says it's OK. Need to investigate more fully since this one should return a >hole using unsafe checks. > >Against: >"Server: Apache/1.2.5" on UnixWare 2.1.2 >The safe check returns vulnerable, the unsafe check returns invulnerable and >the manual check never errors out. > >These "400" messages are also what a 1.3.26 server responds, so maybe we've >discovered that not all 1.3.0-1.3.24 are vulnerable. Maybe my manual test >is flawed. Anyone know of a better one? I checked a couple of them using >the test from apache_chunked_encoding.nasl where the string is "fffffff0" >instead of "80000000" with the same results. > >No, you won't see these systems sitting in our DMZ...:) > >Regards, >Owen Crow >Systems Programmer (Unix) >BMC Software, Inc. >
