Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: http-majordomo2-dir-traversal.nse
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 27 Jun 2011 15:25:27 -0700

On 06/27/2011 12:45 PM, Fyodor wrote:
On Thu, Jun 09, 2011 at 06:33:47PM -0700, Paulino Calderon wrote:
Hello nmap-dev,

Here is my NSE script for exploiting the directory traversal
vulnerability recently found in Majordomo2 (CVE-2011-0049) .
Thanks Paulino, this looks good!  The only issue I found was when
running against a patched host:

PORT   STATE SERVICE
80/tcp open  http
|_http-majordomo2-dir-traversal: [Error] File was not found or the web server has insufficient permissions

As we gain more and more vuln detection scripts, there is a risk that
we might flood the user with "not vulnerable" reports which make the
actual vulnerabilities harder to spot.  So would you make this message
only show up in debugging mode (or maybe when verbosity is 2 or
higher?).

Also, would you revise the error message to note that the server may
be patched, and also include the file name (like "Target file
(/etc/passwd) was not found...") so it is more clear what went wrong?
And can you include the exploit URL that was attempted too?  Again,
these are all only going to show in debug mode or if verbosity is high
enough.

Once you make these changes, please check it in.

Thanks,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

I revised the error message and now it is only displayed when debug mode is on. This was commited as r24417.

Cheers.

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault