On February 27, 2006 07:06 am, George A. Theall wrote:
On Sun, Feb 26, 2006 at 09:16:16PM -0500, Ian Scott wrote:
In the results, there is a message that Nessus "discovered" the
webfind.exe cgi script.
Which plugin reported this? At first blush, it would seem as if you're
talking about #10475 (webfind.nasl), but does not contain the word
"discovered".
I'm not sure what plugin - I ran Nessus with all plugins activated. The exact
wording of the security note is this:
************
Synopsis :
The remote web server contains a CGI script that is affected by a
buffer overflow flaw.
Description :
The 'webfind.exe' CGI script on the remote host is vulnerable to a
buffer overflow when given a too long 'keywords' argument. This
problem allows an attacker to execute arbitrary code as root on this
host.
See also :
http://archives.neohapsis.com/archives/bugtraq/2000-07/0268.html
Solution :
Upgrade to WebSite Professional 2.5 or delete this CGI.
Risk factor :
Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2000-0622
BID : 1487
Nessus ID : 10475
*************
Ooops, ok, it was plugin #10475 indeed.
What would cause this false positive?
Why do you say it's a false-positive? Have you looked at the web logs
from the affected server? Or looked at a packet capture from running the
plugin in question?
Here's a portion of the weblog of the affected server, after running Nessus:
XXX.XXX.XXX.XXX - - [26/Feb/2006:18:47:16 -0500]
"GET /scripts/webfind.exe?keywords=XXXXXXXXXX HTTP/1.1" 500 535
As you can see, it returned a 500 error.
pgpBpNsigIkQX.pgp
Description: PGP signature
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
