Am 05.06.2016 um 01:39 schrieb [email protected]:
We are also warned that we are running a vulnerable version of Digital Cart32. Again, I don't think we are running anything like that (our webserver is FreeBSD), and respond to requests like: GET /login/cart32.exe/GetLatestBuilds?cart32=%3Cscript%3Efoo%3C/script%3E with an error page, but the return code is "200", not an error code. Should we be using "404" instead?
surely - you should *always* respond with error-codes and not 200 in case something don't exist, is not allowed and in fact after some 401 authentication required you have to repsond with a "403 Forbidden" or you will get a alert that you don't protect against dictionary attacks
how else do you imagine security audits work proper when your applications don't?
BTW: any sane webserver would ANYWAYS repsone by the WAF with a error code because of the recocnized script injection
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
