Hi,
I found the following not reasonable act with web_traversal.nasl.
(under nessus 1.2.7 on Linux Box)
For an Apache Coyote/1.0 on Linux Box, the following lines
do not evaluate "qc=0" means being disable 'quickcheck'.
> qc=1;
> k = string("www/no404/", port);
> if (get_kb_item(k)) qc=0;
However, the server returns (status code) 200 with no contents
for the following request r[i]s. Hence, the below check_win_dir_trav
returns 'true' even for non windows servers.
> i=0;
> r[i] = string("..\\..\\..\\..\\..\\..\\windows\\win.ini"); i=i+1;
> r[i] = string("..\\..\\..\\..\\..\\..\\winnt\\win.ini"); i=i+1;
> r[i] = "/%5c..%5c..%5c..%5cwindows%5cwin.ini"; i=i+1;
> r[i] = "/%5c..%5c..%5c..%5cwindows%5cwin%2eini"; i=i+1;
> r[i] = "/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini"; i=i+1;
> r[i] = "/%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini"; i=i+1;
> r[i] = "/%2f..%2f..%2f..%2f..%2f..%2f..%2fwinnt%2fwin.ini"; i=i+1;
> r[i] = 0;
>
> for (i=0; r[i]; i=i+1)
> {
> if (check_win_dir_trav(port: port, url: r[i], quickcheck: qc))
> {
> security_hole(port);
> exit(0);
> }
> }
I'm not sure about these checks and nasl scripts in detal.
However, in my opinion, quickcheck should be disable for this check.
Thanks,
-------
Text by Kosaku Nagasaka. [E-mail: [EMAIL PROTECTED]]
<Remember, success comes in "cans", failure comes in "can'ts".>
*****Note that I may read E-mails in the Text format only.*****
