[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nessus
Subject:    Re: Too long url with nessus
From:       Mark Wagner <markw () horvitznewspapers ! net>
Date:       2000-10-20 22:02:23
[Download RAW message or body]

> Sorry for the intrusion. I was reading the nessus mail archives and i
> found that you have run into the same problem I did regarding the too long
> url vulnerability.

<http://list.nessus.org/listarch-nessus/2000-09/msg00096.html>

> Also, did you only find this problem on the version of Apache mentioned in
> your email? I was thinking that it may be singled to that revision, but
> thats just a thought.

It also happens with my webservers running Apache 1.3.9.

You've prodded me into investigating exactly why this is failing.
At first I thought the crap(65535) was causing some socket buffer
overflow.  Turns out it was much simpler than that: one of the
requests had only "\r\n", not "\r\n\r\n".

It turns out that this is fixed in version 1.10 of the script:

See <http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-plugins/scripts/www_too_long_url.nasl.diff?r1=1.9&r2=1.10>


You can download the updated script at \
<http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/www_too_long_url.nasl>.


The crap() GET still uses only "\r\n" so I would change that to "\r\n\r\n"
too:

*** plugins-dist/www_too_long_url.nasl  Fri Oct 20 14:45:36 2000
--- plugins-local/www_too_long_url.nasl Fri Oct 20 14:46:31 2000
***************
*** 58,64 ****

  soc = open_sock_tcp(port);
  if(!soc)exit(0);
! req = string("GET /", crap(65535), "\r\n");
  send(socket:soc, data:req);
  close(soc);

--- 58,64 ----

  soc = open_sock_tcp(port);
  if(!soc)exit(0);
! req = string("GET /", crap(65535), "\r\n\r\n");
  send(socket:soc, data:req);
  close(soc);

-- 
Mark Wagner markw@horvitznewspapers.net


[prev in list] [next in list] [prev in thread] [next in thread]