Hi, we found a problem in OpenVAS 8, when we tried to get a CSV Results report from a scan containing a result with:
"preload" Missing in HSTS Header (OID: 1.3.6.1.4.1.25623.1.0.105878) <https://cgnscan01.intern.qsc.de/omp?cmd=get_info&info_type=nvt&info_id=1.3.6.1.4.1.25623.1.0.105878&token=e5797978-d826-4129-9168-e9b66e016726> The exported CSV looks as follows: (IP and hostname changed to protect the innocent :)) IP,Hostname,Port,Port Protocol,CVSS,Severity,Solution Type,NVT Name,Summary,Specific Result,NVT OID,CVEs,Task ID,Task Name,Timestamp,Result ID,Impact,Solution,Affected Software/OS,Vulnerability Insight,Vulnerability Detection Method,Product Detection Result,BIDs,CERTs,Other References 10.0.0.1,xyz.intern.qsc.de,443,tcp,0.0,Log,"Workaround",""preload" Missing in HSTS Header","The remote HTTPS Server is missing the 'preload' attribute in the HSTS header","HSTS Header: Strict-Transport-Security: max-age=15552000; includeSubDomains ",1.3.6.1.4.1.25623.1.0.105878,"NOCVE",0418f60c-e949-4134-a102-66112f893593,"QSC-HAM-Trust-10.100.84.0/23",2016-11-08T08:39:58Z,151349c3-c62d-4be8-a599-04deee662dc6,"","Submit the domain to the 'HSTS preload list' and add the 'preload' attribute to the HSTS header","",""," Details: ""preload"" Missing in HSTS Header (OID: 1.3.6.1.4.1.25623.1.0.105878) Version used: $Revision: 3870 $ ","","","",https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet, https://hstspreload.appspot.com/<https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet,%20https:/hstspreload.appspot.com/> The word preload in the NVT Name is included in ("). Having a look into the source code of the corresponding XSLT-Script we found, that in the NVT name only singe-quotes (') are removed but not the ("). The resulting CSV therefore is syntactically not correct and crashes the import i.e. to MS-Access. I suggest four ways of solving the issue: 1) Remove the " from the NVT name 2) Substitute the " with ' in the NVT name 3) Modify the XSLT-script to remove the ' from the NVT name too. 4) Modify the XSLT-script to substitute the " with "" in the NVT name Any comments? Best regards Christian Ebert Chief Security Analyst, CISM, T.I.S.P. Head of Penetration Testing QSC AG Mathias-Brüggen-Straße 55 50829 Köln T +49 221 669-8950 F +49 221 669-85950 M +49 163 6698950 [email protected] http://www.qsc.de<http://www.qsc.de/> Besuchen Sie auch unser Blog unter http://blog.qsc.de<http://blog.qsc.de/> Bitte finden Sie hier die handelsrechtlichen Pflichtangaben: http://www.qsc.de/pflichtangaben
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
