On Mon, 27 Feb 2006, Ian Scott wrote:
Why do you say it's a false-positive? Have you looked at the web logs
from the affected server? Or looked at a packet capture from running the
plugin in question?
Here's a portion of the weblog of the affected server, after running Nessus:
XXX.XXX.XXX.XXX - - [26/Feb/2006:18:47:16 -0500]
"GET /scripts/webfind.exe?keywords=XXXXXXXXXX HTTP/1.1" 500 535
That is correct behavior. Take a look after the above GET request for
another request that looks like:
GET
/scripts/webfind.exe?keywords=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Where there are 2000 'X' characters. The webfind.nasl plugin first sends
the GET request you quoted above and if it receives a response code of 500
it then sends the second GET request (with the 2000 'X' characters).
If there is no response to the second GET request the plugin flags a
security hole.
--
- Josh
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
