*** Sebastien Aucouturier wrote: > Hi team, > i want to proposed the following change for plugin > apache_server_status. > > patch 1: > We got servers returning 403 forbidden access and setting filename > '/server_status' in data body, when plugin access the file. > This make the plugin to declare the vulnerability when it should not.
Hmmm...the NVT looks for "Apache Server Status" in the response. So i'm wondering why you've got false positive. It's not because of the '/server_status' in data body... > We introduce some change : Plugin now check http server code return, > And set the vulnerability, only when http code 200 is return. Im not happy with just checking for http code 200. Better check also for "Apache Server Status" in the response. Micha -- Michael Meyer OpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
