From tony.wasson at trin.net Thu Sep 17 14:47:12 2009 From: tony.wasson at trin.net (Tony Wasson) Date: Thu, 17 Sep 2009 09:47:12 -0500 Subject: [Nikto-discuss] Newbie needs help Message-ID: <340F99E4AB2A424E8C40F1B31F54EC0E0D9576898D@ITMBXEXCH.enterprise.trin.net> I'm a newbie to nikto, have ran several scans and the output has items like the ones below, URI /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 HTTP Method GET Description Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). CA-2000-02. Test Links http://"mywebsite"/forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 http:"mywebsiteIP"/forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 OSVDB Entries OSVDB-0 URI /scripts/dose.pl?daily&somefile.txt&|ls| HTTP Method GET Description DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter. Test Links http://"mywebsite"/scripts/dose.pl?daily&somefile.txt&|ls| http://"mywebsiteIP"/scripts/dose.pl?daily&somefile.txt&|ls| OSVDB Entries OSVDB-2799 How does one interpret this? do I have an actual vulnerability? Notice: This email message, including any attachments, contains information belonging to Trinity Industries, Inc. and its business units. It has been sent solely for the use of the intended recipients and may be confidential, proprietary, copyrighted, and legally privileged. If you are not an intended recipient, please advise the sender of the error and permanently delete all copies of this email, including any copies that may reside in your deleted box. The unauthorized review, use, disclosure, distribution, or copying of this email or its contents is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090917/75f80b5b/attachment.html From davidkl at ivision.com.au Thu Sep 17 22:20:47 2009 From: davidkl at ivision.com.au (David Klein) Date: Fri, 18 Sep 2009 08:20:47 +1000 Subject: [Nikto-discuss] Newbie needs help References: <340F99E4AB2A424E8C40F1B31F54EC0E0D9576898D@ITMBXEXCH.enterprise.trin.net> Message-ID: <9156AD947C46864F88EAE1858D3DE90302025488@ivx2.ivision.com.au> Tony, Thanks for emailing! The first thing I want to draw your attention to is the OSVDB entries. OSVDB stands for Open Source Vulnerability Database; it offers many lists of current and past vulns. The number that you see in Nikto's report (2799) is the unique OSVDB vulnerability number. Go to the OSVDB website http://osvdb.org/ and type "2799" in on the left hand side where it says OSVDB ID Lookup. You will then arrive at the page http://osvdb.org/show/osvdb/2799 I also recommend on clicking the security focus link within that report as they often have PoC's of the vuln. For example http://www.securityfocus.com/archive/1/344032 Bug is found in this script: DailyDose v 1.1 (by www.onlinearts.net) The script (dose.pl) does not check the input: $data=$ENV{'QUERY_STRING'}; ($command,$list,$temp, $id) = split ("&",$data,4); . . . local ($template) = "$tempdir/$temp"; open(TEMPL, "$template") || print "no file found $template!"; #open without check var. $temp Example (listing): http://www.someserver.com/cgi-bin/dose.pl?daily&somefile.txt&|ls| ^ webserver ----------------------------^vuln scrpt^req-----^anyfile--------^ unix command 'ls' for list directory. If you have any further questions feel free to ask! :-) P.S yes you are vulnerable, you should probably change the perl script so that it validates (sanitizes) input. Regards, David Klein ________________________________ From: nikto-discuss-bounces at attrition.org [mailto:nikto-discuss-bounces at attrition.org] On Behalf Of Tony Wasson Sent: Friday, September 18, 2009 12:47 AM To: nikto-discuss at attrition.org Subject: [Nikto-discuss] Newbie needs help I'm a newbie to nikto, have ran several scans and the output has items like the ones below, URI /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 HTTP Method GET Description Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). CA-2000-02. Test Links http://"mywebsite"/forum_members.asp?find=%22;}alert('Vulnerable');funct ion%20x(){v%20=%22 http:"mywebsiteIP"/forum_members.asp?find=%22;}alert('Vulnerable');funct ion%20x(){v%20=%22 OSVDB Entries OSVDB-0 URI /scripts/dose.pl?daily&somefile.txt&|ls| HTTP Method GET Description DailyDose 1.1 is vulnerable to a directory traversal attack in the 'list' parameter. Test Links http://"mywebsite"/scripts/dose.pl?daily&somefile.txt&|ls| http://"mywebsiteIP"/scripts/dose.pl?daily&somefile.txt&|ls| OSVDB Entries OSVDB-2799 How does one interpret this? do I have an actual vulnerability? Notice: This email message, including any attachments, contains information belonging to Trinity Industries, Inc. and its business units. It has been sent solely for the use of the intended recipients and may be confidential, proprietary, copyrighted, and legally privileged. If you are not an intended recipient, please advise the sender of the error and permanently delete all copies of this email, including any copies that may reside in your deleted box. The unauthorized review, use, disclosure, distribution, or copying of this email or its contents is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/nikto-discuss/attachments/20090917/6cd0249b/attachment-0001.html From dave at cirt.net Fri Sep 18 07:45:09 2009 From: dave at cirt.net (David Lodge) Date: Fri, 18 Sep 2009 08:45:09 +0100 Subject: [Nikto-discuss] Newbie needs help In-Reply-To: <340F99E4AB2A424E8C40F1B31F54EC0E0D9576898D@ITMBXEXCH.enterprise.trin.net> References: <340F99E4AB2A424E8C40F1B31F54EC0E0D9576898D@ITMBXEXCH.enterprise.trin.net> Message-ID: On Thu, 17 Sep 2009 15:47:12 +0100, Tony Wasson wrote: > I'm a newbie to nikto, have ran several scans and the output has items > like the ones below, > URI > > /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 What Nikto does with these vulnerabilities and many others is to attempt to inject javascript into the page. Then it looks at the resultant page to see whether the javascript is in there. On a normal web server this is great at finding vulnerabilities, unfortunately some servers customise their 404 (page not found) pages, or even sometimes don't produce a 404. Though Nikto does in this case is attempt to see whether it is a standard page or not. Unfortunately this doesn't always work, so, if you get a lot of similar requests they may be false positives. The thing to do is, like with any automated vulnerability scanner, is to perform a quick manual check and see what happens when you use that URL. There may be an underlying vulnerability with the 404 page that allows XSS: I found one on a recent test where they had a redirect page for every URI, which put up a http-redirect and an href based on the path given (to redirect to the HTTPS version of the site). This meant that you could perform an XSS attack by just doing: http://host/"> If it turns out that the apps presented are not present, it could be that you have a redirection page, like above installed. I would check this out manually. If you wish I can take a look at it, I may even be able to tune Nikto to cope with it in future (obviously redacting privilege information). Thanks dave From davidkl at ivision.com.au Thu Sep 24 02:57:53 2009 From: davidkl at ivision.com.au (David Klein) Date: Thu, 24 Sep 2009 12:57:53 +1000 Subject: [Nikto-discuss] Nikto Feature enhancement Message-ID: <9156AD947C46864F88EAE1858D3DE9030202555D@ivx2.ivision.com.au> Hi guys, What would you think about a Firefox add-on for Nikto? E.G encapsulate the entire Nikto tool into a Firefox addon. Regards, David Klein From ryandewhurst at gmail.com Thu Sep 24 07:16:48 2009 From: ryandewhurst at gmail.com (Ryan Dewhurst) Date: Thu, 24 Sep 2009 08:16:48 +0100 Subject: [Nikto-discuss] Nikto Feature enhancement In-Reply-To: <9156AD947C46864F88EAE1858D3DE9030202555D@ivx2.ivision.com.au> References: <9156AD947C46864F88EAE1858D3DE9030202555D@ivx2.ivision.com.au> Message-ID: Sounds awesome! 2009/9/24 David Klein : > Hi guys, > > What would you think about a Firefox add-on for Nikto? E.G encapsulate > the entire Nikto tool into a Firefox addon. > > Regards, > David Klein > > > > > _______________________________________________ > Nikto-discuss mailing list > Nikto-discuss at attrition.org > https://attrition.org/mailman/listinfo/nikto-discuss > From dave at cirt.net Fri Sep 25 12:26:49 2009 From: dave at cirt.net (David Lodge) Date: Fri, 25 Sep 2009 13:26:49 +0100 Subject: [Nikto-discuss] Nikto Feature enhancement In-Reply-To: <9156AD947C46864F88EAE1858D3DE9030202555D@ivx2.ivision.com.au> References: <9156AD947C46864F88EAE1858D3DE9030202555D@ivx2.ivision.com.au> Message-ID: On Thu, 24 Sep 2009 03:57:53 +0100, David Klein wrote: > What would you think about a Firefox add-on for Nikto? E.G encapsulate > the entire Nikto tool into a Firefox addon. It would have some use. I did have a look at using XUL to try and do a noddy interface for Nikto (though it seems excessively complex in talking to back end code). I'm not going to rule out the feasibility, but it is beyond my current skills - if anybody knows enough about how to make one, then fill your boots. My current plans for UIs are to do a simple proxy which control and report directly through the web browser. One of the enhancements planned for the next release after 2.1.0 is to abstract out UI elements so it will be easier to swap and change UI. The current ideas I have for UI interfaces are: * traditional (i.e. CLI - as we have now) * shell (allows greater control over specific tests/plugins and will replace nikto -Single) * GUI (a lot of work and requires choosing a widget set that's cross platform) * plugin/gadget (potentially, if we can get talking to back end code: though they're this'd have to be browser specific) * proxy (simple to use and compatible with everything) dave From davidkl at ivision.com.au Sun Sep 27 21:54:56 2009 From: davidkl at ivision.com.au (David Klein) Date: Mon, 28 Sep 2009 07:54:56 +1000 Subject: [Nikto-discuss] Nikto Feature enhancement References: <9156AD947C46864F88EAE1858D3DE9030202555D@ivx2.ivision.com.au> Message-ID: <9156AD947C46864F88EAE1858D3DE90302025586@ivx2.ivision.com.au> Hi Dave, On hearing your idea, I must admit I like it better. It looks like you have gone into much thought about this! As far as UI interface goes, would you consider something like Fast-Track currently has? Regards, David Klein -----Original Message----- From: nikto-discuss-bounces at attrition.org [mailto:nikto-discuss-bounces at attrition.org] On Behalf Of David Lodge Sent: Friday, September 25, 2009 10:27 PM To: nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Nikto Feature enhancement On Thu, 24 Sep 2009 03:57:53 +0100, David Klein wrote: > What would you think about a Firefox add-on for Nikto? E.G encapsulate > the entire Nikto tool into a Firefox addon. It would have some use. I did have a look at using XUL to try and do a noddy interface for Nikto (though it seems excessively complex in talking to back end code). I'm not going to rule out the feasibility, but it is beyond my current skills - if anybody knows enough about how to make one, then fill your boots. My current plans for UIs are to do a simple proxy which control and report directly through the web browser. One of the enhancements planned for the next release after 2.1.0 is to abstract out UI elements so it will be easier to swap and change UI. The current ideas I have for UI interfaces are: * traditional (i.e. CLI - as we have now) * shell (allows greater control over specific tests/plugins and will replace nikto -Single) * GUI (a lot of work and requires choosing a widget set that's cross platform) * plugin/gadget (potentially, if we can get talking to back end code: though they're this'd have to be browser specific) * proxy (simple to use and compatible with everything) dave _______________________________________________ Nikto-discuss mailing list Nikto-discuss at attrition.org https://attrition.org/mailman/listinfo/nikto-discuss From dave at cirt.net Mon Sep 28 06:50:16 2009 From: dave at cirt.net (David Lodge) Date: Mon, 28 Sep 2009 07:50:16 +0100 Subject: [Nikto-discuss] Nikto Feature enhancement In-Reply-To: <9156AD947C46864F88EAE1858D3DE90302025586@ivx2.ivision.com.au> References: <9156AD947C46864F88EAE1858D3DE9030202555D@ivx2.ivision.com.au> <9156AD947C46864F88EAE1858D3DE90302025586@ivx2.ivision.com.au> Message-ID: On Sun, 27 Sep 2009 22:54:56 +0100, David Klein wrote: > On hearing your idea, I must admit I like it better. I have proof of concept code for nikto-shell; and this is useful in testing plugins -- though it is nowhere near a release ready state. This was really to prove to myself which bits of Nikto can be swapped out to the interface. > As far as UI interface goes, would you consider something like > Fast-Track currently has? Maybe, I haven't used Fast-Track at all (and can't find screenshots on the web). But, I'm not the world's best UI designer, so I'm always happy for people to help :-) Once I've stopped finding bugs in 2.1.0 and release it, then I will look at UIs. My initial goals will be nikto-shell and a proxy interface. Anything else is only guaranteed if I can find the time and it interests me -- or somebody does some of the legwork first, then I can plagurise them :-) dave From davidkl at ivision.com.au Tue Sep 29 03:15:41 2009 From: davidkl at ivision.com.au (David Klein) Date: Tue, 29 Sep 2009 13:15:41 +1000 Subject: [Nikto-discuss] Oh Dear! Message-ID: <9156AD947C46864F88EAE1858D3DE903020255C5@ivx2.ivision.com.au> Integer overflow in hexadecimal number at /pentest/scanners/nikto/plugins/nikto_headers.plugin line 203, line 279. Regards, David Klein From dave at cirt.net Tue Sep 29 06:30:15 2009 From: dave at cirt.net (David Lodge) Date: Tue, 29 Sep 2009 07:30:15 +0100 Subject: [Nikto-discuss] Oh Dear! In-Reply-To: <9156AD947C46864F88EAE1858D3DE903020255C5@ivx2.ivision.com.au> References: <9156AD947C46864F88EAE1858D3DE903020255C5@ivx2.ivision.com.au> Message-ID: <1254205815.5258.10.camel@yggdrasil> On Tue, 2009-09-29 at 13:15 +1000, David Klein wrote: > Integer overflow in hexadecimal number at > /pentest/scanners/nikto/plugins/nikto_headers.plugin line 203, line > 279. That's really not good - which version are you using? According to the latest 2.1.0, that line is: $reportnum++; Which has the potential to overflow, but only if something has gone really pear shaped. And chance of a -D d dump of this session (or at least see the headers it produces for a GET /) Ta dave From davidkl at ivision.com.au Tue Sep 29 06:44:04 2009 From: davidkl at ivision.com.au (David Klein) Date: Tue, 29 Sep 2009 16:44:04 +1000 Subject: [Nikto-discuss] Oh Dear! References: <9156AD947C46864F88EAE1858D3DE903020255C5@ivx2.ivision.com.au> <1254205815.5258.10.camel@yggdrasil> Message-ID: <9156AD947C46864F88EAE1858D3DE903020255D1@ivx2.ivision.com.au> Hi David, Thanks for the reply, it was version 2.1.0 and I have melted the box. I will let you know if I can get Nikto on a machine again shortly to test it. Regards, David Klein -----Original Message----- From: David Lodge [mailto:dave at cirt.net] Sent: Tuesday, September 29, 2009 4:30 PM To: David Klein Cc: nikto-discuss at attrition.org Subject: Re: [Nikto-discuss] Oh Dear! On Tue, 2009-09-29 at 13:15 +1000, David Klein wrote: > Integer overflow in hexadecimal number at > /pentest/scanners/nikto/plugins/nikto_headers.plugin line 203, line > 279. That's really not good - which version are you using? According to the latest 2.1.0, that line is: $reportnum++; Which has the potential to overflow, but only if something has gone really pear shaped. And chance of a -D d dump of this session (or at least see the headers it produces for a GET /) Ta dave