RFI false positives w.r.t phpinfo() pages

[dnet]

As nikto.conf states, remote file inclusion is tested by configuring an

# RFI URL. This remote file should return a phpinfo call, for example: <?php phpinfo(); ?>

However, since there are (still) many people leaving their info.php and the like around in their webroots, this leads to false positives regarding a critical bug (RFI) when the original issue would be classified as a minor information leak.

I'm not sure what a good solution would be, this issue is more like an opening post for a discussion around this topic. RFI should be tested, but preferably with a payload that has lower chance for such false positive findings.

Any ideas?

[sullo]

A better idea would be to do some math and look for the results. This is a fairly easy change with a new RFIURL but it makes more sense at a larger release.

[sullo]

• 1: cirt.net/rfiinc.txt now has: <?php print "nik" . "to:" . 76197629 * 134.22 . ":
  \n"; phpinfo(); ?>
• 2: the @RFIURL tests now look for: nikto:10227245764.38:
• 3: the phpinfo() call is kept for backwards compatibility for older versions of db_tests