False positive from DDI_JRun_Sample_Files.nasl


#1

This plugin flags errors on systems it cannot log into. I don’t understand NASL well enough to understand why, but it seems pretty clear that ‘r’ in the second ‘if’ statement below should instead be ‘res’.

port = get_http_port(default:80);

for( i = 0; file[i]; i++) {

url = file[i];
pat = res[i];

req = http_get(item:url, port:port);
res = http_keepalive_send_recv(data:req, port:port);
if(!res)
continue;

if(pat >< r) {
report = report_vuln_url(port:port, url:url);
security_message(port:port, data:report);
exit(0);
}
}


#2

Thanks for your report. The mentioned VT has been corrected and should arrive in the feed in the next few days.