George Theall said: > On Tue, Jun 29, 2004 at 01:18:59PM -0600, Lucas Albers wrote: > >> It only appears to enumerate through these addresses: > ... >> /way-board/way-board.cgi?db=/etc/passwd%00 > > What response do you get if you try to get the above from a system > that's supposedly vulnerable? Look at the headers and body returned. > Never any result on any of the systems I've checked, 404 errors.
As I mentioned before I get 404's from all affected systems: It shows way-board messages from ssh, smtp,icmp, which is strange. See items below: My raw ness item shows these entries: I have 679 entries for icmp: SERVER <|> INFO <|> xxx.edu <|> general/icmp <|> The 'way-board' CGI is installed. This CGI has;a well known security flaw that lets an attacker read arbitrary;files with the privileges of the http daemon (usually root or nobody).;;Solution : remove it from /cgi-bin.;;Risk factor : Serious; <|> 10114 <|> SERVER 16 entries for ssh: SERVER <|> INFO <|> xxx.edu <|> ssh (22/tcp) <|> The 'way-board' CGI is installed. This CGI has;a well known security flaw that lets an attacker read arbitrary;files with the privileges of the http daemon (usually root or nobody).;;Solution : remove it from /cgi-bin.;;Risk factor : Serious; <|> 11574 <|> SERVER 8 entries for smtp: SERVER <|> HOLE <|> xxx.edu <|> smtp (25/tcp) <|> The 'way-board' CGI is installed. This CGI has;a well known security flaw that lets an attacker read arbitrary;files with the privileges of the http daemon (usually root or nobody).;;Solution : remove it from /cgi-bin.;;Risk factor : Serious; <|> 11828 <|> SERVER 481 entries for general/tcp: SERVER <|> HOLE <|> xxx.edu <|> ssh (22/tcp) <|> The 'way-board' CGI is installed. This CGI has;a well known security flaw that lets an attacker read arbitrary;files with the privileges of the http daemon (usually root or nobody).;;Solution : remove it from /cgi-bin.;;Risk factor : Serious; <|> 11837 <|> SERVER 47 entries for udp: SERVER <|> INFO <|> xxx.edu <|> unknown (2049/udp) <|> The 'way-board' CGI is installed. This CGI has;a well known security flaw that lets an attacker read arbitrary;files with the privileges of the http daemon (usually root or nobody).;;Solution : remove it from /cgi-bin.;;Risk factor : Serious; <|> 10219 <|> SERVER 4 entries for xdmcp. SERVER <|> INFO <|> xxx.edu <|> xdmcp (177/udp) <|> The 'way-board' CGI is installed. This CGI has;a well known security flaw that lets an attacker read arbitrary;files with the privileges of the http daemon (usually root or nobody).;;Solution : remove it from /cgi-bin.;;Risk factor : Serious; <|> 10891 <|> SERVER It really is strange as it is showing what it thinks is wayboard installed on various other ports, which doesn't make sense. I'v restarted nessus, and don't show any other strange scan results. It appears the plugin is scanning ports it should not be, or otherwise doing something strange. None of the systems I've checked have way-point installed. I'm completelly mystified. > > George > -- > [EMAIL PROTECTED] > _______________________________________________ > Nessus mailing list > [EMAIL PROTECTED] > http://mail.nessus.org/mailman/listinfo/nessus > -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
