Re: False positive on frontpage_chunked_overflow.nasl (MS03-051)

Thu, 11 Dec 2003 05:50:20 -0800 

Are you running latest version from CVS?  The 4009 content-length causes a
security_warning for SP level..:
myreport = string("The remote Microsoft server appears to be missing\n");
myreport += string("at least 2 critical service packs\n\n");
myreport += string("Specifically, the server is running at Service pack
level\n");
myreport += string("less than or equal to SP2\n\n");

The check then goes on to manually inspect for the chunked overflow.

John Lampe
jwlampe -at- nessus.org


On Thu, 11 Dec 2003, Hemsley, Trevor wrote:

> Hi
>
> I'm getting false positives on the test for MS03-051, 
> frontpage_chunked_overflow.nasl. Problem is that it specifically checks for the 
> presence of "Content-Length: 4009" to tell the difference between patched and 
> unpatched servers but it seems that this length can change if you have customised 
> the error pages that are returned by IIS - at least that is how it appears. I've 
> done only limited experimentation to see if there is something else that we could 
> use and on a sample of 3 servers, one unpatched and 2 patched, it appears that we 
> might do better to look for
>
> HTTP/1.1 100 Continue
>
> since this is returned by both my patched servers and not by the unpatched one. 
> However, I don't have a large enough sample of known un/patched machines to base a 
> useful decision on :-(
>
> Trevor Hemsley,
> Security Specialist,
> Atos Origin Ltd,
> Whyteleafe,
> +44-(0)1883-628139
>
> [This e-mail and the documents attached are confidential and intended solely for the 
> addressee ; it may also be privileged . If you receive this e-mail in error, please 
> notify the sender immediately and destroy it. As its integrity cannot be secured on 
> internet, the Atos Origin group liability cannot be triggered for the message 
> content. Although the sender endeavours to maintain a computer virus-free network, 
> the sender does not warrant that this transmission is virus-free and will not be 
> liable for any damages resulting from any virus transmitted.]
>
>
> _______________________________________________
> Nessus mailing list
> [EMAIL PROTECTED]
> http://mail.nessus.org/mailman/listinfo/nessus
>
>
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to