false positive on /localstart.asp

[digininja]

I've just had a match on test 003585, /localstart.asp found.

Looking at the save log, and manual checking, a request of the page gives a 302 redirect to an error page. Looking at the test, it seems to be looking for "Object moved" as a title or an IIS welcome message, don't know why it wants the object moved title.

[ghost]

Mhhh, the current master is only checking for the "Object moved" text:

"003585","3092","b","/localstart.asp","GET","Object moved","","","","","Default IIS install page found.","",""

The goal of the check seems to be to identify this file for brute-forcing valid accounts: http://forums.iis.net/t/1192711.aspx

[tautology0]

I wonder whether the problem described in that post was from some tester just rote including Nikto's results and not checking them out fully.

Yeah. It looks like a false positive to me. I'm not certain what the text ought to be though. I may just change it to look for a 200.

I really hate sites that don't issue 404s!

[tautology0]

Okay Google is your friend for this. Localstart.asp contains the string "Welcome to Windows 2000" (!!). Updated in master.

[digininja]

I did the test and was going through checking results when I found it.

I was thinking it could have been the site doing a 404 page but with a 200 code but it wasn't, it was the string that matched. On 30 Sep 2015 17:37, "David Lodge" notifications@github.com wrote:

I wonder whether the problem described in that post was from some tester just rote including Nikto's results and not checking them out fully.

Yeah. It looks like a false positive to me. I'm not certain what the text ought to be though. I may just change it to look for a 200.

I really hate sites that don't issue 404s!

— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/282#issuecomment-144469749.

[tautology0]

Yeah I meant the forum post linked to by RealRancor...

[digininja]

I'd missed that link On 30 Sep 2015 17:50, "David Lodge" notifications@github.com wrote:

Yeah I meant the forum post linked to by RealRancor...

— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/282#issuecomment-144473659.

[ghost]

@tautology0 I'm not quite sure if the "Welcome to Windows 2000" is the correct patter to match here. The main goal probably is this vulnerability described here:

https://forums.iis.net/t/1153350.aspx

so you're getting an "WWW-Authenticate" here if the page is vulnerable against this brute forcing thingy.

[tautology0]

That's checked for in another check in tests.db (it checks for the string "unauthorized"). The one causing this issue is just checking for standard files.

[ghost]

Ahhh, got it. Have missed that one.

[sullo]

This is one of those tests I'm not sure we need. Has anyone ever done anything useful with localstart.asp (brute force excepted)?

[digininja]

No, I put it down as very low info disclosure and indication that the server hasn't been hardened. On 1 Oct 2015 13:52, "sullo" notifications@github.com wrote:

This is one of those tests I'm not sure we need. Has anyone ever done anything useful with localstart.asp (brute force excepted)?

— Reply to this email directly or view it on GitHub https://github.com/sullo/nikto/issues/282#issuecomment-144718625.

[ghost]

Agreed that this is a very low item and i havn't found this "out in the wild" during audit activities.

But if the check should stay it probably should be changed to match against:

<title>Welcome to Windows

as i also found some localstart.asp files via google containing a:

<title>Welcome to Windows XP Server Internet Services</title>

instead of a:

<title>Welcome to Windows 2000 Internet Services</title>

I'm also really wondering where the initial "Object moved" was coming from. All localstart.asp i've found via google are not containing this wording.

[tautology0]

Consider it changed ;-)