Nmap Development mailing list archives
Re: NSE Script http-methods.nse
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 23 Feb 2010 19:01:31 +0100
On 23 feb 2010, at 17.40, David Fifield wrote:
On Tue, Feb 23, 2010 at 02:00:28PM +0100, Patrik Karlsson wrote:I just ran the script against an IIS 6.0 of mine and noticed that it wasn't detecting PUT which I had enabled. The reason for this is that PUT appears in the Public HTTP header rather than in the Allow header. In my case the response to the OPTIONS request looks like this: HTTP/1.1 200 OK Connection: close Date: Tue, 23 Feb 2010 12:45:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MS-Author-Via: DAV Content-Length: 0 Accept-Ranges: none DASL: <DAV:sql> DAV: 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK Cache-Control: private Here's some more info on the Public header: http://www.w3.org/Protocols/HTTP/Object_Headers.html#public Maybe the contents of the Public and Allow headers should be merged?RFC 2616, the definition of HTTP/1.1, says in section 19.6.3, The Alternates, Content-Version, Derived-From, Link, URI, Public and Content-Base header fields were defined in previous versions of this specification, but not commonly implemented. See RFC 2068. RFC 2068, which is an earlier draft of RFC 2616, says this about Public in section 14.35 The Public response-header field lists the set of methods supported by the server. The purpose of this field is strictly to inform the recipient of the capabilities of the server regarding unusual methods. The methods listed may or may not be applicable to the Request-URI; the Allow header field (section 14.7) MAY be used to indicate methods allowed for a particular URI. So yes, I think it's a good idea to merge the fields. It should have a comment saying that Public was withdrawn in RFC 2616, but is implemented by at least IIS 6.0. Out of curiosity, what does this server return for the request OPTIONS * HTTP/1.0
An identical public and allow line it appears: OPTIONS * HTTP/1.0 HTTP/1.1 200 OK Connection: close Date: Tue, 23 Feb 2010 17:58:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 0 Accept-Ranges: bytes DASL: <DAV:sql> DAV: 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Cache-Control: private
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSE Script http-methods.nse, (continued)
- Re: NSE Script http-methods.nse David Fifield (Feb 18)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 19)
- Re: NSE Script http-methods.nse David Fifield (Feb 19)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Feb 20)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Fyodor (Feb 22)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)
- Re: NSE Script http-methods.nse Patrik Karlsson (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Mar 02)
- Re: NSE Script http-methods.nse Daniel Roethlisberger (Mar 05)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Mar 05)
- Re: NSE Script http-methods.nse Vlatko Kosturjak (Feb 21)
- Re: NSE Script http-methods.nse David Fifield (Feb 22)
- Re: NSE Script http-methods.nse Bernd Stroessenreuther (Feb 23)
- Re: NSE Script http-methods.nse David Fifield (Feb 23)