On Sat Jun 18 2005 at 13:33, Brian Jameson wrote:
GET GET %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
GET GET %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/winnt/win.ini
Good point!
I think that this duplication of GET is rather an odd construct
and was wondering a) Is this intentional, if so what does it show?
or b) is this an error in the writing of the Nessus rule?
I guess this is a bug. Thanks!
I don't see why it duplicates the 'GET'.
check_win_dir_trav takes an URL argument, and instead, the script
calls it with the full request.
Try this patch (I commit it, it will be available soon):
Index: analogx_traversal.nasl
===================================================================
RCS file: /usr/local/cvs/nessus-plugins/scripts/analogx_traversal.nasl,v
retrieving revision 1.13
diff -c -r1.13 analogx_traversal.nasl
*** analogx_traversal.nasl 25 May 2005 19:39:00 -0000 1.13
--- analogx_traversal.nasl 18 Jun 2005 12:29:40 -0000
***************
*** 66,83 ****
if(! get_port_state(port)) exit(0);
! req1 = http_get(item:"%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini",
port:port);
! req2 = http_get(item:"%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/winnt/win.ini",
port:port);
!
! if (check_win_dir_trav(port: port, url: req1))
{
! security_hole(port);
! exit(0);
}
-
- if (check_win_dir_trav(port: port, url: req2))
- {
- security_hole(port);
- exit(0);
- }
-
--- 66,77 ----
if(! get_port_state(port)) exit(0);
! foreach d (make_list("windows", "winnt"))
{
! u = strcat("%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/", d, "/win.ini");
! if (check_win_dir_trav(port: port, url: u))
! {
! security_hole(port);
! exit(0);
! }
}
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
