[Nikto-discuss] db_404_strings processing

Geoff Galitz geoff at galitz.org
Mon Nov 19 12:33:37 CST 2012


It does not appear vulnerable.  The string is being echoed it seems for
translation.  For example this is the string that matches:

			<a onClick="location='/language.de/sysuser/docmgr/blah'
                        <a
onClick="location='/language.fr/sysuser/docmgr/blah'

after I do this:

curl -v http://www.XXXXX.com/sysuser/docmgr/blah

And that is an invalid URL which gives the 404 page.

I am a bit n00bish at this though.. as you have probably guessed by now.

-G


> Is it actually vulnerable or escaped or ... ? The solution depends on the
> actual way this is done, safely or not!
>
> On Mon, Nov 19, 2012 at 1:05 PM, Geoff Galitz <geoff at galitz.org> wrote:
>
>>
>>
>> Ah ha...  indeed the string is being echoed in the 404 doc.  What's the
>> best way to deal with that?
>>
>> -G
>>
>>
>>
>> > is the attack string echoed in the 404 page anywhere? those should
>> match
>> > on
>> > the content with a regex, and only trigger if that raw string is
>> found.
>> >
>> > On Mon, Nov 19, 2012 at 12:51 PM, Geoff Galitz <geoff at galitz.org>
>> wrote:
>> >
>> >>
>> >> If I use curl -v to inspect it, it shows as a 404, though we return a
>> >> pretty big page with that.
>> >>
>> >> It seems like all of these false positives are XSS related.  When I
>> >> issue
>> >> that URL manually (in a web browser or via curl) I get the expected
>> >> custom
>> >> 404 page.
>> >>
>> >> Among the vast volume of output from nikto are lines like this:
>> >>
>> >> + OSVDB-651:
>> >>
>> /cgi-local/cgiemail-1.6/cgicso?query=<script>alert('Vulnerable')</script>:
>> >> This CGI is vulnerable to Cross Site Scripting (XSS).
>> >> http://www.cert.org/advisories/CA-2000-02.html.
>> >> + OSVDB-651:
>> >>
>> /cgi-local/cgiemail-1.4/cgicso?query=<script>alert('Vulnerable')</script>:
>> >> This CGI is vulnerable to Cross Site Scripting (XSS).
>> >> http://www.cert.org/advisories/CA-2000-02.html.
>> >> + OSVDB-7022:
>> >>
>> >>
>> /calendar.php?year=<script>alert(document.cookie);</script>&month=03&day=05:
>> >> DCP-Portal v5.3.1 is vulnerable to  Cross Site Scripting (XSS).
>> >> http://www.cert.org/advisories/CA-2000-02.html.
>> >>
>> >> It could be that my theory on why this is happening is just plain
>> wrong.
>> >>
>> >> -G
>> >>
>> >>
>> >> > That should work. what is the response code you're sending for
>> 404s,
>> >> is
>> >> it
>> >> > 200 or something else?
>> >> >
>> >> > Also, you can put them in udb_404_strings so an update won't step
>> on
>> >> your
>> >> > own changes.
>> >> >
>> >> > -Sullo
>> >> >
>> >> > On Mon, Nov 19, 2012 at 12:06 PM, Geoff Galitz <geoff at galitz.org>
>> >> wrote:
>> >> >
>> >> >>
>> >> >>
>> >> >> Hi all.
>> >> >>
>> >> >> I am getting what seem to be false positives.  I suspect nikto is
>> not
>> >> >> recognizing the custom 404s we send out.  I've added some of the
>> text
>> >> >> and
>> >> >> some of the unique code of our 404 to db_404_strings but it does
>> not
>> >> >> seem
>> >> >> to help.
>> >> >>
>> >> >> I am wondering if I need to do anything special after simply
>> adding
>> >> some
>> >> >> text to that file?  Currently I have this:  <div
>> >> id="not-found-content"
>> >> >> style="bottom: 98px;">
>> >> >>
>> >> >> Would special punctuation cause a problem?
>> >> >>
>> >> >> -G
>> >> >>
>> >> >>
>> >> >>
>> >> >> ------------------------------
>> >> >> Geoff Galitz
>> >> >> http://www.galitz.org
>> >> >>
>> >> >> _______________________________________________
>> >> >> Nikto-discuss mailing list
>> >> >> Nikto-discuss at attrition.org
>> >> >> https://attrition.org/mailman/listinfo/nikto-discuss
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> >
>> >> > http://www.cirt.net     |      http://richsec.com/
>> >> >
>> >>
>> >>
>> >> ------------------------------
>> >> Geoff Galitz
>> >> http://www.galitz.org
>> >>
>> >>
>> >
>> >
>> > --
>> >
>> > http://www.cirt.net     |      http://richsec.com/
>> >
>>
>>
>> ------------------------------
>> Geoff Galitz
>> http://www.galitz.org
>>
>>
>
>
> --
>
> http://www.cirt.net     |      http://richsec.com/
>


------------------------------
Geoff Galitz
http://www.galitz.org



More information about the Nikto-discuss mailing list