this plugin refers to CVE-2009-4612,
a XSS vulnerability for Jetty version 6.0.x to 6.1.21.
The plugin first,
(1)
- try the XSS and check the return
if it match it 'warning_exit'
(2)
- it check the version for Jetty
if it match 6.0.x to 6.1.21, it 'warning_exit'
why the plugin do not test first (2) , exit if it does not match
and then do (1)
because (1) can easily be a false positive as example my server return :
No topic found for "jspsnoop<script>alert(123)<script>"
that of couse match .... and my server is jetty 7.5.4 so not vulnerable
to this CVE.
--
| Sébastien AUCOUTURIER | Software Design Engineer Lead |
| ITrust | 55 rue l'Occitane BP 67303 31673 LABEGE CEDEX
| Email: [email protected] | Fixe Sdt. 05.67.34.67.80 | Fax.
09.80.08.37.23
| IT Security Services & SaaS Editor |
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
