[Openvas-discuss] False positive in gb_apache_etag_6939.nasl ?

Ryan Schulze security at dopefish.de
Tue May 1 01:18:35 CEST 2012


Hi,

I think I may have stumbled over a false positive today. 
gb_apache_etag_6939.nasl checks Apache responses for the ETag header and 
it seems to try to split() the whole header and not just the Value of 
the ETag (which then leads to the array being bigger than intended and 
triggering max_index()). Not sure if this is the best way to solve the 
problem (since I've never played around with .nasl files before), but 
seems to work with the servers I tested it against here.

regards,
Ryan Schulze

# diff -u gb_apache_etag_6939.nasl.orig gb_apache_etag_6939.nasl
--- gb_apache_etag_6939.nasl.orig    2012-05-01 01:10:55.606397458 +0200
+++ gb_apache_etag_6939.nasl    2012-05-01 01:11:11.340146980 +0200
@@ -90,7 +90,7 @@
  etag = eregmatch(pattern:'ETag: "([^"]+)"', string:banner);
  if(isnull(etag[1]))exit(0);

-etag = split(etag, sep:"-",keep:FALSE);
+etag = split(etag[1], sep:"-",keep:FALSE);
  if((max_index(etag)<3))exit(0);

  inode = string("0x",etag[0]);




More information about the Openvas-discuss mailing list