Taras,
On Mon, Jan 31, 2011 at 6:08 PM, Taras <ox...@oxdef.info> wrote:
> Andres,
>
> Oh, it is bad and good bug in same time =)
> Bad side is that bug is not trivial to reproduce and it occurs
> "suddenly". But it looks like I found the problem. It is because of
> mistiming of db file and transactions files (*.trace) when target is
> changed. DB file is initialized in start of application and then it is
> bypassed through KB global object. But transactions files stores in
> 'get_home_dir() + 'sessions' + 'db_' + sessionName' dir
> This dir can be changed from start! Steps to reproduce:
> 1. run ./w3af_gui
> 2. launch proxy tool and test some site like
> http://pentagon.afis.osd.mil ;)
> 3. close proxy tool and try to scan some *different* site e.g.
> http://www.defense.gov
> 4. launch proxy tool again
>
> Current result:
> you must see this cruel exception
Good to see that we know how to reproduce this vulnerability! I've
assigned it to you to fix at your earliest convenience :)
https://sourceforge.net/apps/trac/w3af/ticket/161417
> So the solution is to use single dir to transactions files with name
> similar to DB file and do not use sessionName in it to generate path
> every time.
Agreed.
> The good side in this bug is opportunity to make one more improvement in
> deal with this *big* number of session transactions files. We need to
> delete it in the end of session (when w3af is being closed).
Yep, we should use only one file there.
> I can fix it in the nearest days or you of course can assign it to
> another person if we need to fix it e.g. tomorrow =)
Thanks!
> On Mon, 2011-01-31 at 09:49 -0300, Andres Riancho wrote:
>> Oxdef,
>>
>> We've been getting a lot [0] of automatic bug reports that look like
>> this:
>>
>> w3afException: An internal error ocurred while searching for id "246".
>> Original exception: "[Errno 2] No such file or directory:
>> '/root/.w3af/sessions/some-site.com-2011-Jan-31_12-56-05/246.trace'"
>>
>> The only location where ".trace" files are created is in
>> "core/data/db/history.py". Do you have any idea on why this might
>> happen? How can we fix it? Thanks!
>>
>> [0] https://sourceforge.net/apps/trac/w3af/search?q=.trace
>>
>> Regards,
>
> --
> Taras
> http://oxdef.info
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds
>
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
