Nmap Development mailing list archives
Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184)
From: Gutek <ange.gutek () gmail com>
Date: Thu, 12 Aug 2010 11:30:23 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 10/08/2010 21:56, David Fifield a écrit :
Could the unknown hashes be printed only in verbose mode? (Remember when testing that listing a script by name automatically puts it in verbose mode.) David Fifield
As a quick workaround, here is a patch in which some verbosity is required to return a non-matching fingerprint (unknown hash). It's not a realy satisfying solution as it still computes a useless hash if the target is not running PHP: useless ressources. A solution would be to add a function which would be able to detect in some way the dynamic web technology used. Obviously, looking for the optionnal header field X-Powered-By is not the solution, as it's the very goal of this script. Also, querying some default page (let's say, index.php) and checking the HTTP200 code is not the way because some web sites "in contruction" may not have any of those pages yet: results would be false-negatives. Hence, the "best" patch will be something more complex, I guess. Which means, not likely to be commited in a short term. Still, I'm on it and will come back with a (working !) proposal. So help me Lua :) A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxjvy8ACgkQ3aDTTO0ha7iPggCfWB/+27xuAVRFiGe5tNopLdje VaIAn3XDofpT52azJmkhxbOEZTl0q/EN =GXZZ -----END PGP SIGNATURE-----
Attachment:
http-php-version.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Tom Sellers (Aug 09)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Gutek (Aug 10)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Aug 10)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Gutek (Aug 12)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Aug 16)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Aug 10)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Gutek (Aug 10)