Spurious Scan Results

CyberCop or Nessus found many dangerous CGI scripts, vulnerable Microsoft IIS web server etc.

Security scanners make an inference about vulnerable web service based on a reply from a web server.
Scanner may misinterpret or not understand responses from some web servers.
Some web servers always reply with return code "200 OK"

Systems which may report this:
Network printers
Ethernet switches with embedded web server
(for example, Agranat-EmWeb/R4_02 web server replies with "HTTP/1.1 200 OK" in the HTTP header even if access is denied.



CyberCop Scanner found "10061 RedHat Piranha default password" on non Linux machine


RFC defines HTTP request line as
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
CyberCop doesn't follow the RFC
It sends "GET /piranha/secure/passwd.php3" request twice but receives only one reply from some web servers.
in the first request CyberCop sends only LFs.
in the second CR and LF.

CyberCop --> web server (GET /piranha/secure/passwd.php3 LF)
web server --> CyberCop ( nothing)
CyberCop --> web server ( GET /piranha/secure/passwd.php3 + CRLF )
web server --> Cybercop ( 404 Not Found )
CyberCop thinks that web server is vulnerable

Systems which may report this:
Printers and network appliances with embedded web server software:
Quantum/Snapserver


15036 SCO POP Overflow check on Windows machine

This vulnerability may signify an unpatched copy of Norton AntiVirus
see below the quote from Philip Spencer's email:

>in particular: for your "Windows 2K box reporting vulnerabilities that
>exist in SCO UNIX products" -- was it reporting an "SCO POP server"
>problem? If so, check for an unpatched copy of Norton AntiVirus 2000 with
>e-mail protection enabled and LiveUpdate not properly scheduled.
>Unpatched versions left their proxy pop server open to the network.
>I'm not sure if there's any actual buffer overflow, but it's certainly
>desirable to patch it so that it's closed to everything but localhost.
>Running LiveUpdate fixed the problem (though
>it had to be run twice: the first time upgraded the LiveUpdate tool itself
>so it could see the need to upgrade the e-mail proxy, the second time
>upgraded the e-mail proxy).

Systems which may report this:
Windows box with Norton AntiVirus