Mailing List Archive

On Thu, Aug 22, 2002 at 11:55:15AM +0200, Noam Rathaus wrote:
> Hi,
>
> This will prevent a 404 false positive on this plugin.

Have you experienced a false positive for this plugin ? The point is to
compare the error code returned by the remote http server when requested
a non-existent directory vs. an existing one.

What this plugin does is that it first requests
../../../../../something/inexistant and reads the first line of the
reply of the remote server (typically "HTTP/1.1 404"). Then it requests
../../../../../etc/ (which hopefully exists) and reads the first line of
the reply of the remote server (we expect "HTTP/1.1 404" too, but in the
case of ICEcast, it returns a HTTP/1.1 200 OK).

If the two replies are different, there is a way to determine the
existance of a directory or not. So your check is redundant and may
cause false negatives.


-- Renaud

On Thu, Aug 22, 2002 at 12:33:29PM +0200, Noam Rathaus wrote:
> Hi,
>
> So in our case if I check that 404 was returned I can rule out this plugin's
> success?

No. If you obtain the same reply to the two different requests, then the
plugin failed. If you obtain two different error codes, then something's
fishy and needs to be investigated.


-- Renaud

Hi,

So in our case if I check that 404 was returned I can rule out this plugin's
success?

Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Renaud Deraison" <deraison@nessus.org>
To: "Nessus Plugin Mailing List" <plugins-writers@list.nessus.org>
Sent: Thursday, August 22, 2002 11:17 AM
Subject: Re: icecast_disclosure.nasl


> On Thu, Aug 22, 2002 at 11:55:15AM +0200, Noam Rathaus wrote:
> > Hi,
> >
> > This will prevent a 404 false positive on this plugin.
>
> Have you experienced a false positive for this plugin ? The point is to
> compare the error code returned by the remote http server when requested
> a non-existent directory vs. an existing one.
>
> What this plugin does is that it first requests
> ../../../../../something/inexistant and reads the first line of the
> reply of the remote server (typically "HTTP/1.1 404"). Then it requests
> ../../../../../etc/ (which hopefully exists) and reads the first line of
> the reply of the remote server (we expect "HTTP/1.1 404" too, but in the
> case of ICEcast, it returns a HTTP/1.1 200 OK).
>
> If the two replies are different, there is a way to determine the
> existance of a directory or not. So your check is redundant and may
> cause false negatives.
>
>
> -- Renaud
>

Hi,

I have a server that because you are providing it with a invalid response will
simply ignore your request, and respond with an empty response for some, and for
others it will respond with a "HTTP/1.0 404 " therefore a test to verify that no
404 was responded, and no empty response was received for the should-not-exist
test, should clear any problem of false positive.

Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Renaud Deraison" <deraison@nessus.org>
To: "Nessus Plugin Mailing List" <plugins-writers@list.nessus.org>
Sent: Thursday, August 22, 2002 11:35 AM
Subject: Re: icecast_disclosure.nasl


> On Thu, Aug 22, 2002 at 12:33:29PM +0200, Noam Rathaus wrote:
> > Hi,
> >
> > So in our case if I check that 404 was returned I can rule out this plugin's
> > success?
>
> No. If you obtain the same reply to the two different requests, then the
> plugin failed. If you obtain two different error codes, then something's
> fishy and needs to be investigated.
>
>
> -- Renaud
>