Nmap Development mailing list archives
RE: http-php-version output
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Fri, 26 Nov 2010 19:03:52 -0000
Thanks to both of you for your feedback! I've updated the script and will commit it shortly. I've attached a file with all the hashes that were generated, in case anyone wants to go back and verify something. I started with IIS 7.5 using FastCGI. Versions prior to 5.2.1 didn't seem too happy with IIS 7.5 so to save time I quickly moved to Apache 2.0 with PHP as CGI. I have concerns over some of the remaining hashes, particularly 4.3.1 against the bunny rabbit logo (as it should fall into the brown dog in grass logo range). The only place I've seen it mentioned is at http://webinfopedia.blogspot.com/2007/11/php-easter-egg.html where the person admits it's not taken from their server (so I presume it could be wrong/spoofed). Is it worth me tidying up the logo hashes based on the 0php.com info? Also, it seems that PHP4u 3.0 is based on PHP 4.3.2. Is it worth keeping the PHP4u variant? Or can we let it match against 4.3.2? Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Gutek Sent: 25 November 2010 17:24 To: Rob Nicholls Cc: nmap-dev () insecure org Subject: Re: http-php-version output -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 25/11/2010 16:08, Rob Nicholls a écrit :
I'm slowly working my way through every version of PHP 5 on Windows (just the 5.3.x variants left now!) to generate some new hashes for the
script.
This has led to quite a few "duplicate" values because we're also listing OS specific variants such as "5.2.4-2ubuntu5.10" and "5.2.12-0dotdeb.1" when there's already an existing value of "5.2.4" and "5.2.9 - 5.2.14" against exactly the same respective hashes. Would it be okay to ditch the OS variant? Would people be happy knowing that it matches a particular version of PHP rather than 5.2.4.%everyLinuxVariantSomeoneSpots%? For example, I'd change: ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0", "5.2.0-8-etch13 - 5.2.0-8-etch16"}, to ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0"}, I don't think we've lost anything by removing it. We certainly don't gain anything, except perhaps confusion (especially when testing a Windows host), by having the Debian variant listed. Also, would people find it more useful having: {"5.2.9 - 5.2.14"} Or {"5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.2.13", "5.2.14"} I think that's the worst case example if they're expanded. I don't particularly like the idea of 5.2.x as it feels vague (I know that more specific, typically lower, versions are detected due to their different hashes). Grouping them together works, but the script inconsistently uses dashes and "to" - I propose replacing them all with dashes if we go this route, which is more consistent with Nmap's OS detection, e.g. "Linux 2.6.13 - 2.6.31". Having all of the version numbers listed separately could be useful for people that want to look up known vulnerabilities in specific versions, without having to parse "4.4.2 - 4.4.4" to spot "4.4.3" in the
middle.
I'm leaning towards grouping them though. Thoughts? Rob _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
I totally agree. The fact is that, when I wrote this script I 've collected the first fingerprints by -iR 100's thousand of hosts: installing every PHP versions sounded too loooong for a first release with an acceptable bunch of fingerprints. A great thank for the job you're doing here ! The explanation about the different distributions versions is exactly the one David gives and, of course, I think they should be removed once a given fingerprint is proved to be a common one. And I also think that "5.2.9 - 5.2.14" should be a standard format (once a given fingerprint is also proved to cover the whole subversions range). Having the subversions numbers "dashed" or listed is, I think, the same for a future script or derivated tool: with a range, and if the dash-notation is the standard, a little mathematics and a loop make it easy to retrieve the list. Thanks again ! A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkzum8MACgkQ3aDTTO0ha7g3CgCghE17rc/T4ATlZIXBDEFmGmeN aTMAn1zBh/ZduQ41+emtOBHPoRLaySYs =lYuP -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
php-5-hashes.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-php-version output Rob Nicholls (Nov 26)
- Re: http-php-version output Gutek (Nov 26)
- RE: http-php-version output Rob Nicholls (Nov 26)
- Re: http-php-version output David Fifield (Nov 27)
- RE: http-php-version output Rob Nicholls (Nov 26)
- Re: http-php-version output David Fifield (Nov 26)
- Re: http-php-version output Gutek (Nov 26)