Closed digininja closed 8 years ago
Mhhh, the current master is only checking for the "Object moved" text:
"003585","3092","b","/localstart.asp","GET","Object moved","","","","","Default IIS install page found.","",""
The goal of the check seems to be to identify this file for brute-forcing valid accounts: http://forums.iis.net/t/1192711.aspx
I wonder whether the problem described in that post was from some tester just rote including Nikto's results and not checking them out fully.
Yeah. It looks like a false positive to me. I'm not certain what the text ought to be though. I may just change it to look for a 200.
I really hate sites that don't issue 404s!
Okay Google is your friend for this. Localstart.asp contains the string "Welcome to Windows 2000" (!!). Updated in master.
I did the test and was going through checking results when I found it.
I was thinking it could have been the site doing a 404 page but with a 200 code but it wasn't, it was the string that matched. On 30 Sep 2015 17:37, "David Lodge" notifications@github.com wrote:
I wonder whether the problem described in that post was from some tester just rote including Nikto's results and not checking them out fully.
Yeah. It looks like a false positive to me. I'm not certain what the text ought to be though. I may just change it to look for a 200.
I really hate sites that don't issue 404s!
— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/282#issuecomment-144469749.
Yeah I meant the forum post linked to by RealRancor...
I'd missed that link On 30 Sep 2015 17:50, "David Lodge" notifications@github.com wrote:
Yeah I meant the forum post linked to by RealRancor...
— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/282#issuecomment-144473659.
@tautology0 I'm not quite sure if the "Welcome to Windows 2000" is the correct patter to match here. The main goal probably is this vulnerability described here:
https://forums.iis.net/t/1153350.aspx
so you're getting an "WWW-Authenticate" here if the page is vulnerable against this brute forcing thingy.
That's checked for in another check in tests.db (it checks for the string "unauthorized"). The one causing this issue is just checking for standard files.
Ahhh, got it. Have missed that one.
This is one of those tests I'm not sure we need. Has anyone ever done anything useful with localstart.asp (brute force excepted)?
No, I put it down as very low info disclosure and indication that the server hasn't been hardened. On 1 Oct 2015 13:52, "sullo" notifications@github.com wrote:
This is one of those tests I'm not sure we need. Has anyone ever done anything useful with localstart.asp (brute force excepted)?
— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/282#issuecomment-144718625.
Agreed that this is a very low item and i havn't found this "out in the wild" during audit activities.
But if the check should stay it probably should be changed to match against:
<title>Welcome to Windows
as i also found some localstart.asp files via google containing a:
<title>Welcome to Windows XP Server Internet Services</title>
instead of a:
<title>Welcome to Windows 2000 Internet Services</title>
I'm also really wondering where the initial "Object moved" was coming from. All localstart.asp i've found via google are not containing this wording.
Consider it changed ;-)
I've just had a match on test 003585, /localstart.asp found.
Looking at the save log, and manual checking, a request of the page gives a 302 redirect to an error page. Looking at the test, it seems to be looking for "Object moved" as a title or an IIS welcome message, don't know why it wants the object moved title.