Mailing List Archive

> Is there any real difference between roxen_percent.nasl and
> weblogic_percent.nasl ?

Yes, the 1 Roxen check is included in the Weblogic nasl (which has more
encoded variations in it). But note that Roxen success is based on
"Directory listing of" and Weblogic is "directory listing of", so if
case matters or you don't make it case insensitive then that's the
difference.

-Sullo

___________________________________________________
http://www.cirt.net/
Home of Nikto

"sullo" <sullo@cirt.net> writes:

> But note that Roxen success is based on
> "Directory listing of" and Weblogic is "directory listing of",

... which both fail if the system locale has been set to something
other than English :-\

So instead of two [potentialy] broken scripts, maybe one single would
be better.

IMHO, we should:
GET /
GET /%00/
If both answer 200 and the result is different, the server is
vulnerable. No?

Nobody will be stupid enough to call a file or directory %00
This will not work with a standard web server...

--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/

Michel Arboi wrote:
> > But note that Roxen success is based on
> > "Directory listing of" and Weblogic is "directory listing of",
>
> ... which both fail if the system locale has been set to something
> other than English :-\

People use other languages? WHAT? :)

> IMHO, we should:
> GET /
> GET /%00/
> If both answer 200 and the result is different, the server is
> vulnerable. No?

What about active pages? Someone puts the current time (with seconds) on
a page & they will be different every time requested (assuming the
server sends / instead of /%00/). But yes, non-English language
settings is a problem--probably in TONS of plugins.

-Sullo

___________________________________________________
http://www.cirt.net/
Home of Nikto

Some web servers spit back an error on the /%00/ request, some reverse proxies
will also catch it and respond with an error (apache for instance). Is there
any format in the directory listing html that can be matched (that isn't
language dependent)?

On Saturday 20 July 2002 08:52, Michel Arboi wrote:
> IMHO, we should:
> GET /
> GET /%00/
> If both answer 200 and the result is different, the server is
> vulnerable. No?
>
> Nobody will be stupid enough to call a file or directory %00
> This will not work with a standard web server...

H D Moore <hdm@digitaloffense.net> writes:

> Some web servers spit back an error on the /%00/ request

That's why we should test that the return code is 200

> Is there any format in the directory listing html that can be
> matched (that isn't language dependent)?

Maybe find . and .. on two separate lines?!

> H D Moore <hdm@digitaloffense.net> writes:
>
> > Some web servers spit back an error on the /%00/ request
>
> That's why we should test that the return code is 200
>
> > Is there any format in the directory listing html that can be
> > matched (that isn't language dependent)?
>
> Maybe find . and .. on two separate lines?!

I just checked on some WebLogic 5.1.0 machines, and found that
their directory listings do not show "." or "..".

-Sullo

___________________________________________________
http://www.cirt.net/
Home of Nikto