Penetration Testing mailing list archives
Re: vulnerability scanners not effective? or just a false-positive?
From: James Davis <jamesd () jml net>
Date: Thu, 30 Mar 2006 08:26:40 +0100
On Wed, 2006-03-29 at 21:33 +0530, Joel Jose wrote:
and one more quest. How many of you think that the existance of the default banners in services(eg apache default error pages) are a security threat, if not high, atleast medium?. I do.
Most compromises of Apache will be by automated scripts that won't be so cleverly coded that they bother to check that the server is running Apache before attempting an exploit. Look at the number of attempted IIS exploits you see in any public facing Apache's logs for evidence of this. You can use the ServerTokens directive in the Apache configuration to limit the amount of information given out. James ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- vulnerability scanners not effective? or just a false-positive? Joel Jose (Mar 29)
- Re: vulnerability scanners not effective? or just a false-positive? James Davis (Mar 30)
- Re: vulnerability scanners not effective? or just a false-positive? Pete Herzog (Mar 30)
- Re: vulnerability scanners not effective? or just a false-positive? Kyle Maxwell (Mar 30)
- <Possible follow-ups>
- RE: vulnerability scanners not effective? or just a false-positive? David Ball (Mar 29)
- RE: vulnerability scanners not effective? or just a false-positive? Craig Wright (Mar 31)
- Re: vulnerability scanners not effective? or just a false-positive? Pete Herzog (Mar 31)
- Re: vulnerability scanners not effective? or just a false-positive? Joel Jose (Mar 31)