On Thu, 18 Dec 2003, toddr arc com wrote: > 1. CSS: Tom indicates that SATAN and older versions of SAINT are not > vulnerable to CSS. Tom is incorrect as all used the SATAN engine > which did not tranlate "<" and ">" to their html codes "<" and > "> I suspect that SAINT has fixed it, SARA has, but SATAN has > not. I disagree. Tom's original posting seems correct. Although SARA, SAINT, and SATAN all use an http engine derived from the same code, this specific vulnerability arises from code introduced in SARA which was not part of SATAN or SAINT (from sara_run_action.pl): $debug="ON" if ! $daemon; $debug="" if $daemon; select CLIENT; This block of code enables debugging whenever a scan runs in non-daemon (standalone) mode and redirects the debugging output to the browser, which, prior to 5.0.0, could include service banners containing script tags. And, in any case, worthwhile security ideas should not be discouraged. If every vulnerability posting were considered a "complaint" by the respective vendor, this list would become a very unfriendly environment for sharing security concerns. -- Sam Kline Chief Development Engineer SAINT Corporation
