Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Plugin false positive?

from [Max Andersen] Network Security [Permanent Link]
Subject: Plugin false positive?
Date: Wed, 22 Jun 2005 21:45:07 +0200 
Nessus Plugin ID 10698
BugTraq ID 2513

Weblogic server /%00/ bug

http://www.nessus.org/plugins/index.php?view=single&id=10698

Maybe reports a false positive on my APC Silcon DP320E ups webinterface.

I've tried to call the http page with the /%5c/, /%00/, etc. to try and get a result, but the response from the server is 404:

Object Not Found
The requested URL '/%5c/' was not found on the APC Management Web Server.

I've tried sniffing the traffic, and my ethereal output is this :
2.457318 172.22.13.4 -> 172.22.15.10 HTTP GET /%5c/ HTTP/1.1
2.470371 172.22.15.10 -> 172.22.13.4 TCP http > 34927 [ACK] Seq=1 Ack=447 Win=1600 Len=0
2.485736 172.22.15.10 -> 172.22.13.4 HTTP HTTP/1.1 404 Not Found

Maybe my request is wrong, when I try to do this manually, but I read the plugin source code, and maybe I've musinderstood something regarding the actual request? (and can't find %00 among them in the plugin)
http_getdirlist(itemstr:"/", port:port);
http_getdirlist(itemstr:"/%2e/", port:port);
http_getdirlist(itemstr:"/%2f/", port:port);
http_getdirlist(itemstr:"/%5c/", port:port);

a telnet to the port 80, reports this when trying :

# telnet 172.22.15.10 80
Trying 172.22.15.10...
Connected to 172.22.15.10.
Escape character is '^]'.
GET /%5c/ HTTP/1.1

HTTP/1.1 400 Bad Request
Content-Length: 0
Server: Allegro-Software-RomPager/3.10

The server name is not reporting a weblogic server.

Anyone got an idea on why Nessus reports a positive?

Sincerely
Max Andersen

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Locking down a windows tomcat server againt Web Server Cross SiteScripting (10815) expliots, Fender, Brian
Next by Date:  Re: Plugin false positive?, George A. Theall
Previous by Thread:  RE: Locking down a windows tomcat server againt Web Server Cross SiteScripting (10815) expliots, Fender, Brian
Next by Thread:  Re: Plugin false positive?, Michel Arboi
Indexes:  [Date] [Thread] [Top] [All Lists]