[Openvas-discuss] question about openvas, arachni and false positives

chris framheim at gmx.de
Wed Aug 31 16:54:38 CEST 2011


I tried openvas on Linux Ubuntu 10.04 and scanned some IPs with

# aptitude show openvas-server openvas-scanner | grep -i version
Version: 2.0.3-3
Version: 3.2.4-1

Used the client 2.0.5 on Ubuntu again.

Weird things:

1) Used pretty without special configs, leave much of default
I get following section 7(!) times in the report:
Vulnerability found on port http (80/tcp)

        Overview: This host is installed with Dokuwiki and is prone to
        multiple Cross
        Site Scripting vulnerabilities.
        Vulnerability Insight:
        The flaws are due to error in 'ACL' Manager plugin
        (plugins/acl/ajax.php) that
        allows users to perform certain actions via HTTP requests
        without performing
        any validity checks.
        Successful exploitation allows attackers to conduct cross site
        forgery attacks via unknown vectors.
        Impact Level: Application.
        Affected Software/OS:
        Dokuwiki versions prior to 2009-12-25c
        Fix: Update to version 2009-12-25c or later.
        For Updates Refer, http://www.splitbrain.org/go/dokuwiki
        CVSS Score:
        CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
        CVSS Temporal Score : 5.3
        Risk factor: High
        CVE : CVE-2010-0289
        OID :
This is a false positive. It is a Synology Diskstation with no Dokuwiki.

I installed arachni and got none of the former (but scan on just 5
ports, to speed things up and used 
- OpenVAS TCP Scanner and
- Nmap and
- ide-scan and
- snmpwwalk
)!? Weird! Anybody knows?

2) Without arachni:
Warning found on port ftp (21/tcp)

        FileZilla Server before 0.9.22 allows remote attackers to
        cause a denial of service (crash) via a wildcard argument
        to the (1) LIST or (2) NLST commands, which results in a
        NULL pointer dereference, a different set of vectors than
        NOTE: CVE analysis suggests that the problem might be due
        to a malformed PORT command.
        Upgrade vulnerable FTP server to latest version.
        Plugin output:
        OpenVAS was able to crash the remote FTP server by sending
        a malformed PASV command.
        CVE : CVE-2006-6565
        BID : 21542, 21549
        OID :
False positive again, server didn't crash. NSL couldn't even log in
(password protected).

With arachni: none of the above!

3) Same thing without arachni:
Vulnerability found on port general/tcp

        Overview: This script will list all the vulnerable activex
        controls installed
        on the remote windows machine with references and cause.
        Vulnerability Insight:
        The flaws are caused due to error in restricting the
        SetLayoutData method,
        which fails to properly restrict the SetLayoutData method.
        Successful exploitation will let the remote attackers execute
        arbitrary code,
        and can compromise a vulnerable system.
        Impact Level: System
        Affected Software/OS:
        Microsoft Windows 7 Service Pack 1 and prior.
        Microsoft Windows XP Service Pack 3 and prior.
        Microsoft Windows 2003 Service Pack 2 and prior.
        Microsoft Windows Vista Service Pack 2 and prior.
        Microsoft Windows Server 2008 Service Pack 2 and prior.
        Fix: Apply the patch from below link,
        Set the killbit for the following CLSIDs,
        OID :
False positive again. ActiveX on a Synology Diskstation?

With arachni, no false positive.

Anybody knows an explanation?


More information about the Openvas-discuss mailing list