Nmap Development mailing list archives
Re: .htaccess + php sec bypass
From: David Fifield <david () bamsoftware com>
Date: Fri, 7 Sep 2012 07:15:45 -0700
On Fri, Aug 17, 2012 at 05:19:42PM -0500, Paulino Calderon wrote:
On 04/08/2012 08:11 p.m., Paulino Calderon wrote:On 30/07/2012 07:49 p.m., Arturo 'Buanzo' Busleiman wrote:Hey, thank you MK! On Mon, Jul 30, 2012 at 8:24 PM, Matias Katz<matias () matiaskatz com> wrote:If you need any feedback from me, please ask. I'd be happy to reply, and help in any part of the script writing process :)I've looked into this tool and realized that we sort of have a similar script that can accomplish this task. The tool released in BH basically attempts to access a resource using a non-existing HTTP method (AKA HTTP verb tampering). Not too long ago, Hani released http-method-tamper which performs a similar test but is focused on the JBoss vulnerablity (CVE-2010-0738). I'm attaching a new version of the script http-method-tamper. It has the following advantages over the previous version: * Supports http spidering. The idea is that users can run the script with no arguments and it will crawl the webserver, identify protected resources and attempt to bypass the authentication. * Supports checks to specific paths. If a user know what paths need to be checked, we can do so by setting an argument. No spidering is done when we specify paths. * The test to identify the vulnerability is more comprehensive in this script. First, we try with "HEAD", then "POST" and finally a random string (Non-existing method) as the HTTP verbs. IMO the existing script works perfectly for checking CVE 2010-0738 but since this is a general check, the specific JBoss information should be moved a separate script. Feel free to test it against my test installation at 106.187.53.215: nmap -p80 --script http-method-tamper --script-args paths=/method-tamper/protected/pass.txt 106.187.53.215Did anyone have a chance to test this update? What are your opinions regarding these two scripts and their names? Recap: 1.- Current http-method-tamper does not detect misconfigured htaccess files and seems to be too specific for that jboss vuln. 2.- New script has spidering support and improved detecting. But I'm hesitant to name it as the old one "http-method-tamper" as users might unintentionally crawl webservers thinking it still works as before. Feel free to try against the test server mentioned above.
I can see the value in spidering to find paths but it's also useful for a script to have a list of paths like /jmx-console that are good candidates to test. You can commit your new http-method-tamper with spidering, however it should not be in the safe category. Move the existing http-method-tamper to something named after the vulnerability advisory, and leave it in safe. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)
- Re: .htaccess + php sec bypass Matias Katz (Aug 01)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Paulino Calderon (Aug 04)
- Re: .htaccess + php sec bypass Paulino Calderon (Aug 17)
- Re: .htaccess + php sec bypass David Fifield (Sep 07)
- Re: .htaccess + php sec bypass Paulino Calderon (Sep 10)
- Re: .htaccess + php sec bypass Arturo 'Buanzo' Busleiman (Jul 30)
- Re: .htaccess + php sec bypass Gabriel Lawrence (Jul 30)