Nmap Development mailing list archives
Re: Apache killer (was: [NSE] New script and email update patch)
From: Duarte Silva <duarte.silva () serializing me>
Date: Mon, 29 Aug 2011 12:35:24 +0100
Hello,
The testing algorithm should then be something like:
"""
send_first_request()
if rep.code == 206 then
send_second_request()
if rep.code == 200 then
target not vulnerable
else if rep.code == 206 then
target is vulnerable
end
end
"""
Hmm, the first request seems a little redundant then, unless we want to distinguish between servers that implement and servers that don't implement the functionality.
I also wonder whether using target.name is the best choice. Maybe trying (target.targetname or target.ip) would be better? In any case there is this http-vuln-cve2011-3192.hostname available, which is good.
I think we can live with the RDNS entry (if any) or the target.name (if any). The target.ip isn't very useful since the script is using the hostname variable in the HTTP Host header. What do y'all think? On Monday 29 August 2011 12:00:44 Henri Doreau wrote:
2011/8/29 Duarte Silva <duarte.silva () serializing me>:Good morning, new version implementing Henri Doreau sugestions in the attachments. Regards, Duarte SilvaHi, thanks for having implemented them. I still have many false positives when testing it though. I should have been more explicit when explaining the detection method. Both steps don't actually do the same thing, and you can't assume that the target is vulnerable as soon as you get a reply with code 206. Step one is used to detect whether the target supports these "range requests". Getting a code 206 reply on the first ("bytes=100") request doesn't mean that the target is vulnerable. The second one actually tests the presence of the vulnerability, but there's no need to launch it if the first step showed that the target doesn't support these kind of range requests. The testing algorithm should then be something like: """ send_first_request() if rep.code == 206 then send_second_request() if rep.code == 200 then target not vulnerable else if rep.code == 206 then target is vulnerable end end """ I also wonder whether using target.name is the best choice. Maybe trying (target.targetname or target.ip) would be better? In any case there is this http-vuln-cve2011-3192.hostname available, which is good. Finally the "final" variable in the action function should be declared as local. Regards.
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 26)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 26)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) David Fifield (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Fyodor (Sep 07)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 26)