On February 28, 2006 03:56 am, you wrote: > On Mon, 27 Feb 2006, Ian Scott wrote: > >> Why do you say it's a false-positive? Have you looked at the web logs > >> from the affected server? Or looked at a packet capture from running the > >> plugin in question? > > > > Here's a portion of the weblog of the affected server, after running > > Nessus: > > > > XXX.XXX.XXX.XXX - - [26/Feb/2006:18:47:16 -0500] > > "GET /scripts/webfind.exe?keywords=XXXXXXXXXX HTTP/1.1" 500 535 > > That is correct behavior. Take a look after the above GET request for > another request that looks like: > GET > /scripts/webfind.exe?keywords=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXXX > > Where there are 2000 'X' characters. The webfind.nasl plugin first sends > the GET request you quoted above and if it receives a response code of 500 > it then sends the second GET request (with the 2000 'X' characters). > If there is no response to the second GET request the plugin flags a > security hole.
Thanks Josh. I think I know what was going on now. I had mod_security installed and there were some rules regarding Nessus. With mod_security disabled for a short time and the server rescanned, there was no reference to webfind.exe in the report. Best, Ian _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
