Taras, On Mon, Jan 31, 2011 at 6:08 PM, Taras <ox...@oxdef.info> wrote: > Andres, > > Oh, it is bad and good bug in same time =) > Bad side is that bug is not trivial to reproduce and it occurs > "suddenly". But it looks like I found the problem. It is because of > mistiming of db file and transactions files (*.trace) when target is > changed. DB file is initialized in start of application and then it is > bypassed through KB global object. But transactions files stores in > 'get_home_dir() + 'sessions' + 'db_' + sessionName' dir > This dir can be changed from start! Steps to reproduce: > 1. run ./w3af_gui > 2. launch proxy tool and test some site like > http://pentagon.afis.osd.mil ;) > 3. close proxy tool and try to scan some *different* site e.g. > http://www.defense.gov > 4. launch proxy tool again > > Current result: > you must see this cruel exception
Good to see that we know how to reproduce this vulnerability! I've assigned it to you to fix at your earliest convenience :) https://sourceforge.net/apps/trac/w3af/ticket/161417 > So the solution is to use single dir to transactions files with name > similar to DB file and do not use sessionName in it to generate path > every time. Agreed. > The good side in this bug is opportunity to make one more improvement in > deal with this *big* number of session transactions files. We need to > delete it in the end of session (when w3af is being closed). Yep, we should use only one file there. > I can fix it in the nearest days or you of course can assign it to > another person if we need to fix it e.g. tomorrow =) Thanks! > On Mon, 2011-01-31 at 09:49 -0300, Andres Riancho wrote: >> Oxdef, >> >> We've been getting a lot [0] of automatic bug reports that look like >> this: >> >> w3afException: An internal error ocurred while searching for id "246". >> Original exception: "[Errno 2] No such file or directory: >> '/root/.w3af/sessions/some-site.com-2011-Jan-31_12-56-05/246.trace'" >> >> The only location where ".trace" files are created is in >> "core/data/db/history.py". Do you have any idea on why this might >> happen? How can we fix it? Thanks! >> >> [0] https://sourceforge.net/apps/trac/w3af/search?q=.trace >> >> Regards, > > -- > Taras > http://oxdef.info > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > > > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop