Yes, the plugin has that code in it and it is that that is misfiring. These boxes have SP4 on them but the \winnt\help\iishelp\common\400.htm file has been edited to add custom text and that alters its length. We then bung out a warning about it running < SP2 and that is not correct.
It's too easy to get false positives when relying on the content-length field. This will change if anyone has changed the default pages or I guess if they're running non-US-English versions of code (are there such things for IIS?). -----Original Message----- From: John Lampe [mailto:[EMAIL PROTECTED] Sent: 11 December 2003 12:47 To: Hemsley, Trevor Cc: [EMAIL PROTECTED] Subject: Re: False positive on frontpage_chunked_overflow.nasl (MS03-051) Are you running latest version from CVS? The 4009 content-length causes a security_warning for SP level..: myreport = string("The remote Microsoft server appears to be missing\n"); myreport += string("at least 2 critical service packs\n\n"); myreport += string("Specifically, the server is running at Service pack level\n"); myreport += string("less than or equal to SP2\n\n"); The check then goes on to manually inspect for the chunked overflow. John Lampe jwlampe -at- nessus.org On Thu, 11 Dec 2003, Hemsley, Trevor wrote: > Hi > > I'm getting false positives on the test for MS03-051, > frontpage_chunked_overflow.nasl. Problem is that it specifically checks for the > presence of "Content-Length: 4009" to tell the difference between patched and > unpatched servers but it seems that this length can change if you have customised > the error pages that are returned by IIS - at least that is how it appears. I've > done only limited experimentation to see if there is something else that we could > use and on a sample of 3 servers, one unpatched and 2 patched, it appears that we > might do better to look for > > HTTP/1.1 100 Continue > > since this is returned by both my patched servers and not by the unpatched one. > However, I don't have a large enough sample of known un/patched machines to base a > useful decision on :-( > > Trevor Hemsley, > Security Specialist, > Atos Origin Ltd, > Whyteleafe, > +44-(0)1883-628139 > > [This e-mail and the documents attached are confidential and intended solely for the > addressee ; it may also be privileged . If you receive this e-mail in error, please > notify the sender immediately and destroy it. As its integrity cannot be secured on > internet, the Atos Origin group liability cannot be triggered for the message > content. Although the sender endeavours to maintain a computer virus-free network, > the sender does not warrant that this transmission is virus-free and will not be > liable for any damages resulting from any virus transmitted.] > > > _______________________________________________ > Nessus mailing list > [EMAIL PROTECTED] > http://mail.nessus.org/mailman/listinfo/nessus > > _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
