Am 05.06.2016 um 01:59 schrieb Reindl Harald:
Am 05.06.2016 um 01:39 schrieb [email protected]:We are also warned that we are running a vulnerable version of Digital Cart32. Again, I don't think we are running anything like that (our webserver is FreeBSD), and respond to requests like: GET /login/cart32.exe/GetLatestBuilds?cart32=%3Cscript%3Efoo%3C/script%3E with an error page, but the return code is "200", not an error code. Should we be using "404" instead?surely - you should *always* respond with error-codes and not 200 in case something don't exist, is not allowed and in fact after some 401 authentication required you have to repsond with a "403 Forbidden" or you will get a alert that you don't protect against dictionary attacks how else do you imagine security audits work proper when your applications don't? BTW: any sane webserver would ANYWAYS repsone by the WAF with a error code because of the recocnized script injection
oh - and when you redirect things to reduce log-flood due scans then do it proper
RedirectMatch 404 ^/.*pma2005/(.*)$ RedirectMatch 404 ^/.*PMA2005/(.*)$ RedirectMatch 404 ^/.*pma2006/(.*)$ RedirectMatch 404 ^/.*PMA2006/(.*)$ RedirectMatch 404 ^/.*pma2007/(.*)$ RedirectMatch 404 ^/.*PMA2007/(.*)$ RedirectMatch 404 ^/.*pma2008/(.*)$ RedirectMatch 404 ^/.*PMA2008/(.*)$ RedirectMatch 404 ^/.*pma2009/(.*)$ RedirectMatch 404 ^/.*PMA2009/(.*)$ RedirectMatch 404 ^/.*pma2010/(.*)$ RedirectMatch 404 ^/.*PMA2010/(.*)$ RedirectMatch 404 ^/.*pma2011/(.*)$ RedirectMatch 404 ^/.*PMA2011/(.*)$ RedirectMatch 404 ^/.*pma2012/(.*)$ RedirectMatch 404 ^/.*PMA2012/(.*)$
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
