On Fri, Oct 24, 2003 at 01:01:40PM -0700, Erik Stephens wrote:
Hi,
> I've been poking around the CGI abuse plugins, focusing on how things
> are handled when dealing with a web server that doesn't return proper
> "404 not found" pages. As I understand it, no404.nasl will store a
> pattern in the kb that is_cgi_installed should search for when
> requesting a CGI abuse that returns an HTTP 200 status code.
>
> Why would a plugin depend on no404.nasl but not make a call to
> is_cgi_installed?
Because it is a good way to make sure that all the actual dependencies
(http version detection, http keep-alive detection, webmirror and
DDI_Directory_Scanner) have run. is_cgi_installed() and
is_cgi_installed_ka() are used in last resort (ie: could not find a copy
of the CGI affected by the flaw) but most of the newer CGI checks
include a kind of signature of the CGI seeked, which is the best way to
workaround stupid web servers with no 404 error codes.
-- Renaud
