<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.16825" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText90990 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>I've noticed these false
positives as well.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>If you have a default 404 page, you'll see
these false positives as the URL issued with the GET command does return a page
- your default 404 page so it assumes that since it issued a command and
received a result the command must have worked.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>That's been my findings anyway. Anyone have
more information?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV></DIV>
<DIV id=idSignature82423 dir=ltr>
<DIV><FONT face=Arial color=#000000 size=2>Thomas J. Raef</FONT></DIV>
<DIV><FONT face=Arial size=2><A
href="http://www.ebasedsecurity.com">www.ebasedsecurity.com</A></FONT></DIV>
<DIV><FONT face=Arial size=2>"You're either hardened, or you're
hacked!"</FONT></DIV>
<DIV><FONT face=Arial size=2><A
href="http://www.wewatchyourwebsite.com">www.wewatchyourwebsite.com</A></FONT></DIV>
<DIV><FONT face=Arial size=2>"We Watch Your Website - so you don't have
to!"</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> nikto-discuss-bounces@attrition.org on
behalf of titans team<BR><B>Sent:</B> Mon 5/11/2009 8:41 AM<BR><B>To:</B>
nikto-discuss@attrition.org<BR><B>Subject:</B> [Nikto-discuss] False positives
?<BR></FONT><BR></DIV>
<DIV>Hi guys,<BR><BR>running a scan against my apache web server shows
that.<BR><BR>+ OSVDB-0: GET /scripts/banner.cgi : This CGI may allow attackers
to read any file on the system.<BR>+ OSVDB-0: GET /scripts/bannereditor.cgi :
This CGI may allow attackers to read any file on the system.<BR>+ OSVDB-0: GET
/sips/sipssys/users/a/admin/user : SIPS v0.2.2 allows user account info
(including password) to be retrieved remotely.<BR>+ OSVDB-0: GET
/scripts/addbanner.cgi : This CGI may allow attackers to read any file on the
system.<BR>+ OSVDB-0: GET /scripts/ans.pl?p=../../../../../usr/bin/id|&blah
: Avenger's News System allows commands to be issued remotely.<BR>+ OSVDB-0: GET
/scripts/ans/ans.pl?p=../../../../../usr/bin/id|&blah : Avenger's News
System allows commands to be issued remotely.<BR>+ OSVDB-0: GET
/admentor/adminadmin.asp : Version 2.11 of AdMentor is vulnerable to SQL
injection during login, in the style of: ' or =<BR>+ OSVDB-0: GET
/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a
remote execution bug via SQL command injection.<BR>+ OSVDB-0: GET
/scripts/Count.cgi : This may allow attackers to execute arbitrary commands on
the server<BR>+ OSVDB-0: GET /isapi/count.pl? : AN HTTPd default script may
allow writing over arbitrary files with a new content of '1', which could allow
a trivial DoS. Append /../../../../../ctr.dll to replac<BR>e this file's
contents, for example.<BR>+ OSVDB-376: GET /admin/contextAdmin/contextAdmin.html
: Tomcat may be configured to let attackers read arbitrary files. Restrict
access to /admin.<BR>+ OSVDB-3092: GET /cgi-bin/textcounter.pl : This might be
interesting...<BR>+ OSVDB-13483: GET /adsamples/config/site.csc : Contains SQL
username/password<BR>+ OSVDB-3092: GET /advworks/equipment/catalog_type.asp :
This might be interesting...<BR>+ OSVDB-3092: GET /scripts/counter.exe : This
might be interesting...<BR>+ OSVDB-3233: GET /scripts/fpcount.exe : Default
FrontPage CGI found.<BR><BR><BR>The thing is that none of these files exist on
the server. <BR><BR>Any idea why this shows up ?<BR><BR>Best
Regards,<BR>Nick.<BR></DIV></BODY></HTML>