This plugin reported a web server I scanned as being vulnerable to SQL injection. The actuall output is
+++++ The remote web server is vulnerable to SQL injection Nessus ID : 33929 <http://cgi.nessus.org/nessus_id.php3?id=33929> +++++ Nessus doesn't give, and I can't find, any details as to how it came to this conclusion. The web server is running a default instance of IIS 6.0 and only displays the default IIS home page. There is no web application running on this server. This same plugin also reports the following as a separate record +++++ Synopsis : Nessus has determined that this server is NOT COMPLIANT with the PCI DSS requirements. Description : The remote web server is vulnerable to some cross-site scripting attacks (XSS), or implements old SSL2.0 cryptography, or runs obsolete software, or is vulnerable to dangerous flaws (CVSS base score >= 4). See also : http://www.pcisecuritystandards.org/ http://en.wikipedia.org/wiki/PCI_DSS Plugin output : + A web server is vulnerable to SQL injection + A medium risk flaw was found. See: http://www.nessus.org/plugins/index.php?view=single&id=10759 Nessus ID : 33929 <http://cgi.nessus.org/nessus_id.php3?id=33929> +++++ Still no real details. Can you tell me how nessus determined this host is vulnerable to SQL injection? thanks
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
