Nmap Development mailing list archives
Possible Bug - [NSE] PHP version disclosure (OSVDB 12184)
From: Tom Sellers <nmap () fadedcode net>
Date: Mon, 09 Aug 2010 19:20:05 -0500
On 5/29/10 11:24 AM, Gutek wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, here comes a new version.
It now checks both the "special PHP logo" and the "Credits page".
David was right, we have a far better granualrity when using the Credits
as a fingerprint.
However i'm still not quite sure if this Credits page is really
phpinfo() dependant or not, while the logo does not seem to be.
So, the script now checks both: results from the "logo" are now marked
as "gives a range" (let's say, informational), and results from the
Credits are marked "more accurate".
In the end, to help collecting new hashes or to reveal at a glance if a
banner seems really different from the "easteregg fingerprint", the
scripts tries to grab the claimed PHP version from the Header.
During this past week i've scanned hundreds of webservers and so the
fingerprints database has grown and is now more mature. There should
remain only a few unknown signatures but in this case the script will
tell the user what to do.
Here is the new Output :
- ---
- -- @output
- -- PORT STATE SERVICE
- -- 80/tcp open http
- -- | php-easteregg: This EasterEgg Matches PHP Versions:
- -- | ('logo' test, gives a range)
- -- | 4.3.11,
- -- | 4.4.0 to 4.4.4,
- -- | 5.0.5-2ubuntu1.1,
- -- | 5.0.5-pl3-gentoo,
- -- | 5.1.0 to 5.1.2
- -- | ('credits' test, more accurate)
- -- | 5.0.5
- -- |_(According to the Header, server claims to be running PHP/5.0.5)
Again, thanks for the advises :)
A.G
Gutek,
Recently (last week or so) I have noticed that this script has been triggering on every http
and generating hashes. This occurs even when no real content is returned, such as a 403 (Forbidden)
or 301 (Moved Permanently)
If this behavior is not by design you may wish to check the value of response.status to determine if
the page you requested was returned successfully. The best bet would be a 200 (ok) response.
Perhaps changing
if response.body then
to something like
if response.body and response.status == 200 then
in both of the http.get sections would address this.
I tested this against my own non-php hosts and it removed the false positives.
I tested it against www.php.net and it seemed to work correctly as far as I
can tell.
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-php-version: Versions from logo query (less accurate): 5.1.4, 5.2.X
| Versions from credits query (more accurate): 5.1.4, 5.2.X, 5.2.12-0.dotdeb.1
|_Version from header x-powered-by: PHP/5.2.12RC4-dev
Thanks much,
Tom
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Tom Sellers (Aug 09)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Gutek (Aug 10)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Aug 10)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Gutek (Aug 12)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Aug 16)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Aug 10)
- Re: Possible Bug - [NSE] PHP version disclosure (OSVDB 12184) Gutek (Aug 10)