Re: Virtual Domain Scanning Bug

["davenessus_at_davewking.com" <davenessus_at_davewking.com>]

I think I may have figured this out.  As far as I can tell with my 
limited testing, instead of ip[domain] it should be domain[ip], for 
example try www.foo.com[10.0.0.2].  It looks like this is backwards in 
several places including the Nessus Knowledge base and several emails on 
the mailing list.  I actually found this answer in this email 
http://mail.nessus.org/pipermail/nessus/2002-October/msg00227.html.  Let 
the list know if this works.

Dave King



Jay Jacobson wrote:

> I have not seen any responses to this, and since I sent it over a 
> holiday weekend, I figured I would re-send (original below). Can 
> anyone confirm this bug? Any ideas?
>
> ~Jay
>
>
> On Sun, 29 May 2005, Jay Jacobson wrote:
>
> > I believe we have found a bug in Nessus' implementation of HTTP(S) 
> > virtual domain scanning. Using Nessus 2.2.4. The syntax is to scan 
> > the target is ip[hostname], for example 10.0.0.2[www.foo.com].
> >
> > The bug crops up when the hostname resolves to a different IP than 
> > the one specificed. The scenario is:
> >
> > * 10.0.0.2 is a web server that hosts many virtual domains. One of 
> > the domains it responds to is www.foo.com.
> >
> > * www.foo.com only resolves to 192.168.2.10 (no round-robin DNS).
> >
> > * Starting a Nessus scan with the target specified as 
> > "10.0.0.2[www.foo.com]" and Nessus seems to lookup www.foo.com and 
> > proceed to do the actual scan on 192.168.2.10, when it should be 
> > scanning 10.0.0.2, since that was the target IP given to Nessus. 
> > Thus, Nessus is scanning an IP address that was NOT supposed to be 
> > scanned.
> >
> > I know this is an unusual setup, and the above scenario is just an 
> > example. Nonetheless, it does look like a bug in Nessus is causing it 
> > to scan the wrong IP in this case. Thoughts?
> >
> > ~Jay