<Message: 1 <Date: Thu, 10 Nov 2005 13:30:09 -0500 <From: "Justin Doles" <[EMAIL PROTECTED]> <Subject: RE: Multiple CGI warnings on NetWare 6.5 SP3 <To: <[email protected]> <Message-ID: <[EMAIL PROTECTED]> <Content-Type: text/plain; charset="us-ascii"
< Can't say that we've seen that on our Novell servers. ...and we <have quite a few with Apache installed. All are 6.5 SP3. < Its odd that it picks up on having a web server installed on 443 <without Apache running. <Justin Doles <Liberty Savings Bank <www.LibertySavingsBank.com Keep in mind that we are running NetMail 3.10g, which will respond to web requests. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joel Elwell Sent: Thursday, November 10, 2005 9:25 AM To: [email protected] Subject: Multiple CGI warnings on NetWare 6.5 SP3 Has anyone run into the probable false positives below? The only cgi folder existing on the server is in Apache2. It contains none of the indicated CGI's. Apache, Perl and Tomcat where not loaded at the time of the scan. What is keying Nessus to indicate these warnings? NetWare 6.5 SP3, NetMail 3.10h Nessus scan found these and other cgi's: Vulnerability https (443/tcp) The 'plusmail' CGI is installed. Some versions of this CGI have a well known security flaw that lets an attacker read arbitrary file with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin. No patch yet Risk factor : High CVE : CAN-2000-0074 BID : 2653 Nessus ID : 10181 This is a false positive. is not installed on this server. A file search of the Netware volumes could not locate a cgi of this name. Vulnerability https (443/tcp) The 'webgais' CGI is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin Risk factor : High CVE : CVE-1999-0176 BID : 2058 Nessus ID : 10300 Vulnerability https (443/tcp) The 'websendmail' CGI is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : Remove it from /cgi-bin. Risk factor : High CVE : CVE-1999-0196 BID : 2077 Nessus ID : 10301 Vulnerability https (443/tcp) The 'Perl' CGI is installed and can be launched as a CGI. This is equivalent to giving a free shell to an attacker, with the http server privileges (usually root or nobody). Solution : remove it from /cgi-bin Risk factor : High CVE : CAN-1999-0509 Nessus ID : 10173 Message: 4 Date: Thu, 10 Nov 2005 16:52:26 -0500 From: "George A. Theall" <[EMAIL PROTECTED]> Subject: Re: Multiple CGI warnings on NetWare 6.5 SP3 To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii On Thu, Nov 10, 2005 at 09:25:27AM -0500, Joel Elwell wrote: > Has anyone run into the probable false positives below? > The only cgi folder existing on the server is in Apache2. It contains none of > the indicated CGI's. > Apache, Perl and Tomcat where not loaded at the time of the scan. > What is keying Nessus to indicate these warnings? Did you enable dependencies when you ran the scan? If not, I could see this happening if you didn't and your web server doesn't respond with a 404 error code to requests for non-existent pages. Also, are you by any chance using NessusWX that you've upgraded and with a session from before the upgrade? If so, create a new session and re-run your scan. And finally, have you manually tested for the CGIs? George -- [EMAIL PROTECTED] I will check on the dependancies, I did not personally configure the scan. My associate is reading this forum, he may contribute, but I will verify. We are not using NessusWX. The version we are scanning with is 2.2.5 directly from Nessus.org. I have attempted to verify manually, simply by pointing a browser at HTTP://myserver/cgi-bin/wrap? I receive a 404 error from the server. (Running Novell NetMail 3.10g) Have you a recommedation to better verify manually? Thanks to all. Joel _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
