VS: Apache vulnerability checking

["Toni Heinonen" <Toni.Heinonen () teleware fi>]

> TH> patch. For instance, eEye's tool reports my patched RH7.2 
> server as 
> TH> "vulnerable", because it only checks the server string, 
> it doesn't 
> TH> try to exploit the vulnerability.
>
> That's interesting.. If you sniff the tool, you'll see it 
> does a HEAD, and then posts to x.html  with a chunk 
> encoding..  It seems to be doing more than just reading the 
> version on the banner. (This is as of 2 hours ago, maybe they 
> updated their tool).
>
> It appears to actually exploit it for the testing. I didn't 
> trace the tool it self, only from what the packet capture says.

The original version only checked the server version, whereas an updated
version now available does the HEAD and really tests for the hole. I saw
this post on the Infosec news mailing list:

"Forwarded from: Marc Maiffret <marc () eeye com>
Cc: Jonas M Luster <jluster () baysec org>

thanks for your email.

the first version was released quickly so people could have something to
start with. the current version of the tool does perform an attack to
determine if its vulnerable. were always improving over time but things
start somewhere.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security"

The new version (1.0.2) of the tool now reports even older, patched
Apaches correctly as "not vulnerable", including my server.

-- 
Toni Heinonen, Teleware Oy
  Wireless +358 (40) 836 1815
  Telephone +358 (9) 3434 9123
  toni.heinonen () teleware fi
  www.teleware.fi