On Sat Jun 18 2005 at 13:33, Brian Jameson wrote:
> GET GET %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
> GET GET %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/winnt/win.ini
Good point!
> I think that this duplication of GET is rather an odd construct
> and was wondering a) Is this intentional, if so what does it show?
> or b) is this an error in the writing of the Nessus rule?
I guess this is a bug. Thanks!
> I don't see why it duplicates the 'GET'.
check_win_dir_trav takes an URL argument, and instead, the script
calls it with the full request.
Try this patch (I commit it, it will be available soon):
Index: analogx_traversal.nasl
===================================================================
RCS file: /usr/local/cvs/nessus-plugins/scripts/analogx_traversal.nasl,v
retrieving revision 1.13
diff -c -r1.13 analogx_traversal.nasl
*** analogx_traversal.nasl 25 May 2005 19:39:00 -0000 1.13
--- analogx_traversal.nasl 18 Jun 2005 12:29:40 -0000
***************
*** 66,83 ****
if(! get_port_state(port)) exit(0);
! req1 = http_get(item:"%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini",
port:port);
! req2 = http_get(item:"%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/winnt/win.ini",
port:port);
!
! if (check_win_dir_trav(port: port, url: req1))
{
! security_hole(port);
! exit(0);
}
-
- if (check_win_dir_trav(port: port, url: req2))
- {
- security_hole(port);
- exit(0);
- }
-
--- 66,77 ----
if(! get_port_state(port)) exit(0);
! foreach d (make_list("windows", "winnt"))
{
! u = strcat("%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/", d, "/win.ini");
! if (check_win_dir_trav(port: port, url: u))
! {
! security_hole(port);
! exit(0);
! }
}
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
