Forwarded from: Marc Maiffret <[EMAIL PROTECTED]> Cc: Jonas M Luster <[EMAIL PROTECTED]>
thanks for your email. the first version was released quickly so people could have something to start with. the current version of the tool does perform an attack to determine if its vulnerable. were always improving over time but things start somewhere. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: Jonas M Luster [mailto:[EMAIL PROTECTED]] | Sent: Monday, June 24, 2002 1:48 PM | To: InfoSec News | Cc: [EMAIL PROTECTED] | Subject: Re: [ISN] Free tool: apache chunked vulnerability scanner | | | Quoting InfoSec News ([EMAIL PROTECTED]): | | > Forwarded from: "Marc Maiffret" <[EMAIL PROTECTED]> | > Cc: "Greg Broiles" <[EMAIL PROTECTED]> | > | > yes the tool is non intrusive. thanks for pointing that out. well | > update the site. | | That's another way to put it. But why call it a 'vulnerability | scanner' in the first place if it's only a version checker? Apache | Users with ServerTokens set to Prod or OS won't be reported | vulnerable, while my servers, running a originally vulnerable but | patched Apache are reported to be. | | This kind of advertising is pretty deceptive. In fact there's only one | way to scan for that vulnerability - and that's by exploiting it. | Every twelve-year-old with a broomstick and libwhisker can write a | version checker in minutes, if not less, so why not call it what it is | - a sophisticated way to verify Apache signatures? | | But, non-intrusive sounds cool, I give you that. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.