[Nikto-discuss] False positives ?

Thomas Raef traef at ebasedsecurity.com
Mon May 11 13:51:30 UTC 2009 

I've noticed these false positives as well.
 
If you have a default 404 page, you'll see these false positives as the URL issued with the GET command does return a page - your default 404 page so it assumes that since it issued a command and received a result the command must have worked.
 
That's been my findings anyway. Anyone have more information?
 
Thomas J. Raef
www.ebasedsecurity.com
"You're either hardened, or you're hacked!"
www.wewatchyourwebsite.com
"We Watch Your Website - so you don't have to!"

________________________________

From: nikto-discuss-bounces at attrition.org on behalf of titans team
Sent: Mon 5/11/2009 8:41 AM
To: nikto-discuss at attrition.org
Subject: [Nikto-discuss] False positives ?


Hi guys,

running a scan against my apache web server shows that.

+ OSVDB-0: GET /scripts/banner.cgi : This CGI may allow attackers to read any file on the system.
+ OSVDB-0: GET /scripts/bannereditor.cgi : This CGI may allow attackers to read any file on the system.
+ OSVDB-0: GET /sips/sipssys/users/a/admin/user : SIPS v0.2.2 allows user account info (including password) to be retrieved remotely.
+ OSVDB-0: GET /scripts/addbanner.cgi : This CGI may allow attackers to read any file on the system.
+ OSVDB-0: GET /scripts/ans.pl?p=../../../../../usr/bin/id|&blah : Avenger's News System allows commands to be issued remotely.
+ OSVDB-0: GET /scripts/ans/ans.pl?p=../../../../../usr/bin/id|&blah : Avenger's News System allows commands to be issued remotely.
+ OSVDB-0: GET /admentor/adminadmin.asp : Version 2.11 of AdMentor is vulnerable to SQL injection during login, in the style of: ' or =
+ OSVDB-0: GET /index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
+ OSVDB-0: GET /scripts/Count.cgi : This may allow attackers to execute arbitrary commands on the server
+ OSVDB-0: GET /isapi/count.pl? : AN HTTPd default script may allow writing over arbitrary files with a new content of '1', which could allow a trivial DoS. Append /../../../../../ctr.dll to replac
e this file's contents, for example.
+ OSVDB-376: GET /admin/contextAdmin/contextAdmin.html : Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin.
+ OSVDB-3092: GET /cgi-bin/textcounter.pl : This might be interesting...
+ OSVDB-13483: GET /adsamples/config/site.csc : Contains SQL username/password
+ OSVDB-3092: GET /advworks/equipment/catalog_type.asp : This might be interesting...
+ OSVDB-3092: GET /scripts/counter.exe : This might be interesting...
+ OSVDB-3233: GET /scripts/fpcount.exe : Default FrontPage CGI found.


The thing is that none of these files exist on the server. 

Any idea why this shows up ?

Best Regards,
Nick.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090511/3eb3d889/attachment.html

More information about the Nikto-discuss mailing list