RE: Free tool: apache chunked vulnerability scanner

[InfoSec News <isn () c4i org>]

Forwarded from: Marc Maiffret <marc () eeye com>
Cc: Jonas M Luster <jluster () baysec org>

thanks for your email.

the first version was released quickly so people could have something to
start with. the current version of the tool does perform an attack to
determine if its vulnerable. were always improving over time but things
start somewhere.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: Jonas M Luster [mailto:jluster () baysec org]
| Sent: Monday, June 24, 2002 1:48 PM
| To: InfoSec News
| Cc: marc () eeye com
| Subject: Re: [ISN] Free tool: apache chunked vulnerability scanner
|
|
| Quoting InfoSec News (isn () c4i org):
|
| > Forwarded from: "Marc Maiffret" <marc () eeye com>
| > Cc: "Greg Broiles" <gbroiles () parrhesia com>
| >
| > yes the tool is non intrusive. thanks for pointing that out. well
| > update the site.
|
| That's another way to put it. But why call it a 'vulnerability
| scanner' in the first place if it's only a version checker? Apache
| Users with ServerTokens set to Prod or OS won't be reported
| vulnerable, while my servers, running a originally vulnerable but
| patched Apache are reported to be.
|
| This kind of advertising is pretty deceptive. In fact there's only one
| way to scan for that vulnerability - and that's by exploiting it.
| Every twelve-year-old with a broomstick and libwhisker can write a
| version checker in minutes, if not less, so why not call it what it is
| - a sophisticated way to verify Apache signatures?
|
| But, non-intrusive sounds cool, I give you that.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.