What you see is not an issue or error. It is, what the application is supposed to do.
* As you can see, these requests are not the same. * Thinking about muiltiple POST requests on WP-Login or your "logs" below, you could have guessed in the first place that the app is either trying multiple Login/Passwort combinations or (as seen below) some patterns to detect Injection possibilities. Regards 2010/1/7 p8x <[email protected]> > Hi Vincent, > > I also experied the same issue as mrx. I did see multiple get and post > requests to the same page. > > As an example, I took a random page with a form on it, here are the totals: > > 2 /password.html > 2 /password.html?key=88888&form_validated=12345&submit_form=88888 > 2 /password.html?key=88888&form_validated=12345&submit_form=88888' > 2 > > /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='6 > 2 > /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=6 > 2 > > /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?key=88888&submit_form=88888&form_validated=12345 > 2 /password.html?key=88888&submit_form=88888&form_validated=12345' > 2 > > /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='6 > 2 > /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=6 > 2 > > /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=6%20and%20'%25'=' > 2 /password.html?submit_form=88888&form_validated=12345&key=88888 > 2 /password.html?submit_form=88888&form_validated=12345&key=88888' > 2 > > /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='6 > 2 > /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=6 > 2 > > /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=6%20and%20'%25'=' > 4 > > /password.html?key=88888&form_validated=12345&submit_form=88888'%20and%20'5'='5 > 4 > /password.html?key=88888&form_validated=12345&submit_form=88888%20and%205=5 > 4 > > /password.html?key=88888&form_validated=12345&submit_form=88888%25'%20and%205=5%20and%20'%25'=' > 4 > > /password.html?key=88888&submit_form=88888&form_validated=12345'%20and%20'5'='5 > 4 > /password.html?key=88888&submit_form=88888&form_validated=12345%20and%205=5 > 4 > > /password.html?key=88888&submit_form=88888&form_validated=12345%25'%20and%205=5%20and%20'%25'=' > 4 > > /password.html?submit_form=88888&form_validated=12345&key=88888'%20and%20'5'='5 > 4 > /password.html?submit_form=88888&form_validated=12345&key=88888%20and%205=5 > 4 > > /password.html?submit_form=88888&form_validated=12345&key=88888%25'%20and%205=5%20and%20'%25'=' > > Also, the contact forms on the websites I tested got hammered with > emails (and they also seemed to have duplicate requests). > > p8x > > On 7/01/2010 8:00 PM, mrx wrote: > > Vincent, > > > > Although the actual results of the scan were displayed in English in the > online html report, > > the suggested solutions were in fact in Chinese. > > > > Checking my access logs reveals multiple attempts of the same > attack/probe, for example multiple identical POSTs to the same page: > > > > 216.18.22.46 - - [06/Jan/2010:11:33:01 +0000] "POST > /properblog/wp-login.php HTTP/1.0" 200 2554 "-" "Mozilla/4.0 (compatible; > MSIE 7.0; Windows > > NT 5.1; .NET CLR 2.0.50727) NOSEC.JSky/1.0" > > > > There are around 100 entries identical to the above in my log. I don't > know if this is by design or not but it does seem to be a little > inefficient. > > > > > > I also noticed there were no attempts at information disclosure via the > TRACE method, nor were any attempts made at SQL injection despite my > > selecting "all" in the scan options. Not that my site is vulnerable in > any way ;-) > > > > Hope this helps > > > > regards > > mrx > > > > > > > > Vincent Chao wrote: > >> Thank you for your analysis. It really helps me. > > > >> And I also found the PDF report mail to us is in Chinese, in the website > of > >> iiScan, however, to see the report of html or PDF format is English (of > >> course can change to Chinese). > > > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of mrx > >> Sent: Wednesday, January 06, 2010 8:45 PM > >> To: [email protected] > >> Subject: [Full-disclosure] iiscan results > > > >> Well, this scanner managed to find a couple of low level vulnerabilities > on > >> my site which were missed by both Nikto and Nessus. > > > >> Two directories allowed a directory listing and a test.php file I > created, > >> an information disclosure vulnerability, was also detected. My dumb > >> ass forgot to delete this "test.php" file after I finished testing the > >> server. > > > >> Possible sensitive directories were also listed, however browsing to > these > >> directories returned 403 errors, blank pages or a wordpress logon > >> prompt, which is what I expected. > > > >> So all in all this scanner seems to do it's job well. At least for a > LAMP > >> server running wordpress > > > >> Of course I have addressed the vulnerabilities reported. > > > >> My command of the Chinese language is limited to zero, so I cannot > >> understand the pdf report emailed to me nor the information within the > web > >> based report. Hopefully the developers will address this language > problem. > > > >> regards > >> mrx > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
