[prev in list] [next in list] [prev in thread] [next in thread]
List: nessus
Subject: Re: Too long url with nessus
From: Mark Wagner <markw () horvitznewspapers ! net>
Date: 2000-10-20 22:02:23
[Download RAW message or body]
> Sorry for the intrusion. I was reading the nessus mail archives and i
> found that you have run into the same problem I did regarding the too long
> url vulnerability.
<http://list.nessus.org/listarch-nessus/2000-09/msg00096.html>
> Also, did you only find this problem on the version of Apache mentioned in
> your email? I was thinking that it may be singled to that revision, but
> thats just a thought.
It also happens with my webservers running Apache 1.3.9.
You've prodded me into investigating exactly why this is failing.
At first I thought the crap(65535) was causing some socket buffer
overflow. Turns out it was much simpler than that: one of the
requests had only "\r\n", not "\r\n\r\n".
It turns out that this is fixed in version 1.10 of the script:
See <http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-plugins/scripts/www_too_long_url.nasl.diff?r1=1.9&r2=1.10>
You can download the updated script at \
<http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/www_too_long_url.nasl>.
The crap() GET still uses only "\r\n" so I would change that to "\r\n\r\n"
too:
*** plugins-dist/www_too_long_url.nasl Fri Oct 20 14:45:36 2000
--- plugins-local/www_too_long_url.nasl Fri Oct 20 14:46:31 2000
***************
*** 58,64 ****
soc = open_sock_tcp(port);
if(!soc)exit(0);
! req = string("GET /", crap(65535), "\r\n");
send(socket:soc, data:req);
close(soc);
--- 58,64 ----
soc = open_sock_tcp(port);
if(!soc)exit(0);
! req = string("GET /", crap(65535), "\r\n\r\n");
send(socket:soc, data:req);
close(soc);
--
Mark Wagner markw@horvitznewspapers.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic