Earlier this week (or rather end of last week) Robert Hansen aka RSnake released a huge, compiled list of Remote File Include Vulnerable parameters. To sweeten the deal Rob Fuller (mubix) and a few others parsed out the OSVDB’s CSV database and the compiled milw0rm site for all RFI’s listed there.
What we’re left with is a gargantuan list of RFI vulnerabilities to search for.
The first thing that came to my mind when i saw that list is “hey i’ll parse that into the Nikto Database” but, alas, Sullo (Nikto’s author) moves quick! Sullo released a new version of Nikto like hotcakes.
In addition to RFI goodness 2.1.1 contains some bug fixes, etc;
- New remote file inclusion (RFI) testing
- Over 2300 new RFI tests (courtesy RSnake/OSVDB)
- Sending of each test ID in the User-Agent
- Libwhisker 2.5, which includes 2 new IDS evasion techniques
- Ability to run specific plugins
- XML report now includes SSL information
