On February 27, 2006 07:06 am, George A. Theall wrote: > On Sun, Feb 26, 2006 at 09:16:16PM -0500, Ian Scott wrote: > > In the results, there is a message that Nessus "discovered" the > > webfind.exe cgi script. > > Which plugin reported this? At first blush, it would seem as if you're > talking about #10475 (webfind.nasl), but does not contain the word > "discovered".
I'm not sure what plugin - I ran Nessus with all plugins activated. The exact wording of the security note is this: ************ Synopsis : The remote web server contains a CGI script that is affected by a buffer overflow flaw. Description : The 'webfind.exe' CGI script on the remote host is vulnerable to a buffer overflow when given a too long 'keywords' argument. This problem allows an attacker to execute arbitrary code as root on this host. See also : http://archives.neohapsis.com/archives/bugtraq/2000-07/0268.html Solution : Upgrade to WebSite Professional 2.5 or delete this CGI. Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2000-0622 BID : 1487 Nessus ID : 10475 ************* Ooops, ok, it was plugin #10475 indeed. > > > What would cause this false positive? > > Why do you say it's a false-positive? Have you looked at the web logs > from the affected server? Or looked at a packet capture from running the > plugin in question? Here's a portion of the weblog of the affected server, after running Nessus: XXX.XXX.XXX.XXX - - [26/Feb/2006:18:47:16 -0500] "GET /scripts/webfind.exe?keywords=XXXXXXXXXX HTTP/1.1" 500 535 As you can see, it returned a 500 error.
pgpvK54GGenPD.pgp
Description: PGP signature
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
