As nikto.conf states, remote file inclusion is tested by configuring an
# RFI URL. This remote file should return a phpinfo call, for example: <?php phpinfo(); ?>
However, since there are (still) many people leaving their info.php and the like around in their webroots, this leads to false positives regarding a critical bug (RFI) when the original issue would be classified as a minor information leak.
I'm not sure what a good solution would be, this issue is more like an opening post for a discussion around this topic. RFI should be tested, but preferably with a payload that has lower chance for such false positive findings.
A better idea would be to do some math and look for the results. This is a fairly easy change with a new RFIURL but it makes more sense at a larger release.
As
nikto.conf
states, remote file inclusion is tested by configuring anHowever, since there are (still) many people leaving their
info.php
and the like around in their webroots, this leads to false positives regarding a critical bug (RFI) when the original issue would be classified as a minor information leak.I'm not sure what a good solution would be, this issue is more like an opening post for a discussion around this topic. RFI should be tested, but preferably with a payload that has lower chance for such false positive findings.
Any ideas?