[Openvas-plugins] [Openvas-commits] r4091 - intrunk/openvas-plugins: . scripts

Tim Brown timb at nth-dimension.org.uk
Wed Jul 22 00:49:53 CEST 2009 

On Tuesday 21 July 2009 18:28:43 Chandrashekhar B wrote:
> -----Original Message-----
> From: Tim Brown [mailto:timb at nth-dimension.org.uk]
> Sent: Tuesday, July 21, 2009 9:46 PM
> To: Chandrashekhar B
> Cc: openvas-plugins at wald.intevation.org; rnikita at secpod.com
> Subject: Re: [Openvas-plugins] [Openvas-commits] r4091 -
> intrunk/openvas-plugins: . scripts
>
> On Tuesday 21 July 2009 15:54:26 Chandrashekhar B wrote:
> >> I had actually asked your help for the remote POC, we went ahead with
> >> the local check meanwhile.
> >
> > I know, this was my first chance to review the check.  I did try to catch
> > you
> > on IRC to discuss it but we seem to have missed each other since you
> > first
> >
> > asked.  I have a virtual machine running the vulnerable code, so if
> > you're
> >
> > cool with it, I'd like to run the checks on it and make changes as >
>
> necessary?
>
> I am definitely cool with that :) please do.

The NullLogic Groupware server returns a header such as "Server: NullLogic 
Groupware 1.2.6" on vulnerable versions.

My proposal would be to remove the script_require_keys() and change the logic 
as follows:

banner = get_http_banner(port:nullgrpPort);
nullgrpVer = get_kb_item("NullLogic-Groupware/Win/Ver");
if(nullgrpVer == NULL){
  bannerVer = eregmatch(pattern:"NullLogic Groupware ([0-9.]+)", 
string:banner);
  if(version_is_less_equal(version:bannerVer, test_version:"1.2.7")){
    security_warning(nullgrpPort);
  }
} else {
  if("NullLogic Groupware" >< banner){
    if(version_is_less_equal(version:nullgrpVer, test_version:"1.2.7")){
      security_warning(nullgrpPort);
    }
  }
}
exit(0);

Does something like that make sense?  The only problem I can see is if local 
check is carried out and finds an old version, but the version running is 
actually patched up to date which may lead to a false positive.  It may be 
better to split the two checks entirely but then, would the issue be reported 
twice?

Also, what family shall we move the script to?  It will handle both the local 
and remote cases...

Tim
-- 
Tim Brown
<mailto:timb at nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>

More information about the Openvas-plugins mailing list