Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Bug in wsftp_file_path_parsing_dos.nasl (ID 14584) ?
hubert at westpoint
Oct 12, 2006, 9:24 AM
Post #1 of 2 (1848 views)
Permalink
Hi,

this plugin matches the ftp banner using the following:

if (egrep(pattern:"WS_FTP Server ([0-4]\.|5\.0\.[0-2][^0-9])", string: banner))

So this will fire on 5.0.0, 5.0.1, 5.0.2 but not 5.0.3 or 5.0.4.

According to http://www.securityfocus.com/bid/11065/ (which is one of the refs
listed in the nasl), 5.0.3 and 5.0.4 (excluding 5.0.4 hotfix 1) are vulnerable.

Suggested bugfix would be

if (egrep(pattern:"WS_FTP Server ([0-4]\.|5\.0\.[0-4][^0-9])", string: banner))

If 5.0.4 Hotfix 1 has a different banner it should be excluded of course...


--
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: Bug in wsftp_file_path_parsing_dos.nasl (ID 14584) ? [ In reply to ]
theall at tenablesecurity
Oct 12, 2006, 1:21 PM
Post #2 of 2 (1773 views)
Permalink
On Thu, Oct 12, 2006 at 05:24:13PM +0100, Hubert Seiwert wrote:

> this plugin matches the ftp banner using the following:
>
> if (egrep(pattern:"WS_FTP Server ([0-4]\.|5\.0\.[0-2][^0-9])", string: banner))
>
> So this will fire on 5.0.0, 5.0.1, 5.0.2 but not 5.0.3 or 5.0.4.
>
> According to http://www.securityfocus.com/bid/11065/ (which is one of the refs
> listed in the nasl), 5.0.3 and 5.0.4 (excluding 5.0.4 hotfix 1) are vulnerable.

I have no idea why SecurityFocus would claim 5.04 is affected. The
original advisory only mentions 5.02. And Ipswitch's changelogs for
WS_FTP state the fix was incorporated into 5.03; eg,

http://www.ipswitch.com/support/ws_ftp-server/releases/wr503.asp

and Secunia also makes the same claim:

http://secunia.com/advisories/12406

I'm updating the plugin with a link to the WS_FTP release note, but at
this point I don't agree that changing the banner check is the correct
thing to do.

George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal