[Nikto-discuss] False positives

Frank Breedijk FBreedijk at schubergphilis.com
Wed Mar 31 12:32:51 UTC 2010


Encountered a few false positives

Test 3120
Query /?pattern=/etc/*&sort=name will return OK even if the system is not vulnerable. Default apache install will return ok and disregard query parameters
Maybe we should look if the returned value contains passwd and shadow

Test 999972 from nikto_httpoptions.plugin
Apache servers will handle the DEBUG normally like an GET or POST (haven't been able to found out which) so it's not vulnerable.
seccubus at agent ~ $ telnet seccubus.com 80|head
Trying 79.141.36.205...
Connected to seccubus.com.
Escape character is '^]'.
DEBUG / HTTP/1.1
Host: seccubus.com

HTTP/1.1 200 OK
Date: Wed, 31 Mar 2010 12:28:33 GMT
Server: Apache
Set-Cookie: 652a57d4ecf6fbbfc14c76b1a9f31619=0541bf502c1a793e28db4cf6a0b9b8a5; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Wed, 31 Mar 2010 12:28:37 GMT

Frank



More information about the Nikto-discuss mailing list