Hello,
[ftp_root.nasl]
ftp_root.nasl still has the same problem in 2.0.3 as the previous ones did.
Specifically, the line:
pasv = ftp_get_pasv_port(socket:soc);
causes a false negative. When I comment this out, the script works against
wu-ftpd 2.6.2(2) - the one ftp daemon version I have handy. This would
suggest that there's a problem with the ftp_get_pasv_port command, or that
this command is used incorrectly in the script, OR there's a pecularity with
wu-ftpd 2.6.2 that causes this.
[default_account.inc]
I noticed that one of the changes I suggested for default_account.inc got
implemented. Thank you! I am still concerned that systems this won't work
with systems that prompt you for a password even if the password is blank,
but this new version works for me in all of my test machines. I'll post how
to configure solaris so that it prompts you for a password even if it's
blank once I remember how I did it in the first place :)
I also noticed that this gives false positives whenever an account has a
blank password and the script looks for logins based on that account.
Obviously not a huge problem, but definitely solvable.
[oracle9iAS_slashdot_DoS.nasl]
This script (oracle9iAS_slashdot_DoS.nasl) seems to do nothing! Shouldn't
it set a security hole or a kb item or SOMETHING when http_is_dead() is
true?
TIA,
Brian Costello
[ftp_root.nasl]
ftp_root.nasl still has the same problem in 2.0.3 as the previous ones did.
Specifically, the line:
pasv = ftp_get_pasv_port(socket:soc);
causes a false negative. When I comment this out, the script works against
wu-ftpd 2.6.2(2) - the one ftp daemon version I have handy. This would
suggest that there's a problem with the ftp_get_pasv_port command, or that
this command is used incorrectly in the script, OR there's a pecularity with
wu-ftpd 2.6.2 that causes this.
[default_account.inc]
I noticed that one of the changes I suggested for default_account.inc got
implemented. Thank you! I am still concerned that systems this won't work
with systems that prompt you for a password even if the password is blank,
but this new version works for me in all of my test machines. I'll post how
to configure solaris so that it prompts you for a password even if it's
blank once I remember how I did it in the first place :)
I also noticed that this gives false positives whenever an account has a
blank password and the script looks for logins based on that account.
Obviously not a huge problem, but definitely solvable.
[oracle9iAS_slashdot_DoS.nasl]
This script (oracle9iAS_slashdot_DoS.nasl) seems to do nothing! Shouldn't
it set a security hole or a kb item or SOMETHING when http_is_dead() is
true?
TIA,
Brian Costello