First of all , maybe some of you don't know what "False Positive" is . A False Positive is when you think you have a specific vulnerability in your program but in fact you don't. Many security scanners scan an application (or service/daemon) and attempt to find a vulnerability in it. Sometimes the signatures (the 'check logic') make mistakes and report a vulnerability that may not exist.

And yes , i think it happens with Nikto 2.1.3 especially with the "-C all" option , or "force directory check" to cgi directories. OK , it's not making me stop using nikto to check the bug , but it makes me to avoid using "-C all" option because sometimes it produces many files that don't even exist ( Correct Me If I'm Wrong ) .

This is the sample of Nikto's output :