Hello
I got a lot of Apache chunked encoding errors on a IIS server.
My tests were run with safe check disabled.
I made a copy of the plugins and added some printings :
# This was a real web server. Let's try again, with malicious data
req = string("GET /index.nes HTTP/1.0\r\n",
"Transfer-Encoding: chunked\r\n\r\n",
"fffffff0\r\n",
crap(42), "\r\n\r\n");
send(socket:soc, data:req);
r = http_recv(socket:soc);
# If there is a send error, then it means the remote host
# abruptly shut the connection down
n = send(socket:soc, data:crap(5));
sleep(1);
----> display(n);
if(n < 0)
{
security_hole(port);
------> display('HOLE\r\n');
exit(0);
and here are my results :
nasl -t frillsdmz70 test.nasl
[16355] plug_set_key:send(0)['1 Services/www/80/working=1;
'](0 out of 29): Socket operation on non-socket
HTTP/1.0 500 Internal Server Error
Server: Microsoft-IIS
Date: Thu, 08 Jul 2004 10:07:53 GMT
Content-type: text/html
<HEAD><TITLE>500: Server Error [10-0004]</TITLE></HEAD>
<BODY>
<H1>500: Server Error [10-0004]</H1>
<BR>
</BODY>
</HTML>
5-1Success
HOLE
It seems that the value of n issued by the send(socket:soc, data:crap(5));
command is 5-1 and not the indication
of the closing of the port.
Did I mis-interpret my results, or is there a real coding error in the
plugin?
Patrice ARNAL
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
