[Nikto-discuss] False positive or not?
a
resident.deity at gmail.com
Thu Feb 7 09:46:57 CST 2013
This looks like its a false positive off test 818; which is testing for a
XSS in the pic parameter of phpimageview.php.
There should be an exception case to catch this.
Is there any chance you could do a test with -D dvs on this. To cut down
the size of the debug file, you can edit db_tests and alter the 3rd column
of test 818 and put in a "z", then run Nikto like:
nikto.pl -host vulnerable -D dvs -Tuning z -Plugins tests -no404
One of these days I'll put in a way of doing this easily, probably
something like "-Plugins tests(tids:818)", suggestions would be appreciated.
On 7 February 2013 14:24, Frank Breedijk <FBreedijk at schubergphilis.com>wrote:
> Recently we got some results from Nikto which we regard as false
> positives.****
>
> ** **
>
> >telnet xxx.xxx.xxx.xxx 80****
>
> Trying xxx.xxx.xxx.xxx...****
>
> Connected to xxx.xxx.xxx.xxx ****
>
> Escape character is '^]'.****
>
> GET /phpimageview.php?pic=javascript:alert('Vulnerable') HTTP/1.1****
>
> Host: xxxxxxxxxxxxxxxxxxxx****
>
> ** **
>
> HTTP/1.1 301 Moved Permanently****
>
> Set-Cookie: ARPT=PZUZILSpws1CKIOL; path=/****
>
> Date: Thu, 07 Feb 2013 14:19:39 GMT****
>
> Server: Microsoft-IIS/6.0****
>
> X-Powered-By: ASP.NET****
>
> Location:
> https://xxxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable
> ')****
>
> Content-Length: 297****
>
> Content-type: text/html****
>
> ** **
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">****
>
> <html><head>****
>
> <title>301 Moved Permanently</title>****
>
> </head><body>****
>
> <h1>Moved Permanently</h1><p>The document has moved <a href="
> https://xxxxxxxxxxxxxxxxx/phpimageview.php?pic=javascript:alert('Vulnerable')
> ">here</a>.</p>****
>
> </body></html>Connection closed by foreign host.****
>
> ** **
>
> I understand my the rule triggers, the URL is echoed back apparently
> unescaped. However the double quotes neutralize the XSS and if you insert a
> “ in the URL the webserver actually returns a 400 Bad Request.****
>
> ** **
>
> Kind regards,
> Frank Breedijk
>
>
> Schuberg Philis
> Boeing Avenue 271
> 1119 PD Schiphol-Rijk
> schubergphilis.com
>
> +31 20 750 65 38
> +31 6 4382 2637
> _____________________ ****
>
> [image: Description: http://widget.sbpad6.nl/alpe_email.pl?nick=frank]<http://frank.sbpad6.nl/>
> ****
>
> ** **
>
> _______________________________________________
> Nikto-discuss mailing list
> Nikto-discuss at attrition.org
> https://attrition.org/mailman/listinfo/nikto-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20130207/c86e8bd1/attachment.html>
More information about the Nikto-discuss
mailing list