[Nikto-discuss] an issue with OSVDB-10902

Sullo csullo at gmail.com
Mon May 2 09:05:55 CDT 2011


On Mon, May 2, 2011 at 10:01 AM,  <martinmickael at free.fr> wrote:
> I'm a new user of Nikto. I like this software for his simplicity, so big thank you to developers.
> But I have an issue (or maybe my error) :
> I make :  perl nikto.pl -h http://172.31.4.200
> and I obtain "OSVDB-10902: /cgi-bin/nbmember.cgi?cmd=list_all_users: Netbilling ndmember.cgi reveals sensitive information.".
> I haven't the cgi script ndmember on my web server. My cgi-bin directory exits but is empty !
> No I don't understand why Nikto display this information.

It looks like this test only looks for a 200/OK response from the
server, so it is likely that your site is responding with the OK
message to that particular CGI. I am a little surprised that is the
only one giving this issue.

In any case, you should be able to safely ignore the issue. To
confirm, perform a GET on that page from the command line (using wget
or curl), with a proxy (burp, etc.) or with a browser plugin that
allows you to see the HTTP headers, and should see the 200 OK response
and no content. Assuming you don't actually see any sensitive
information, it is a false positive.

-Chris


-- 

http://www.cirt.net     |      http://www.osvdb.org/


More information about the Nikto-discuss mailing list