Re: script category selection bug - was: Script force

[Patrick Donnelly <batrick () batbytes com>]

On Mon, Dec 5, 2011 at 10:38 AM, Djalal Harouni <tixxdz () opendz org> wrote:
> On Sat, Dec 03, 2011 at 10:41:47PM +0100, Martin Holst Swende wrote:
> > On 12/01/2011 11:47 PM, Djalal Harouni wrote:
> > > On Tue, Nov 29, 2011 at 03:11:32PM -0800, David Fifield wrote:
> > > > I also tried
> > > >    +(default or vuln)
> > > > I didn't really expect it to work. This was the output:
> > > >    NSE: failed to initialize the script engine:
> > > >    [string "rule"]:1: attempt to call a boolean value
> > > We can also support this but it will need more regexp checks, perhaps we
> > > should just let users specify "+default or +vuln" as suggested by
> > > Fyodor.
> > >
> > > I'll try to have a look at this error.
> >
> > Currently, there is an error since the globalized_rule is created on the
> > "+(default or vuln)" string instead of "(default or vuln)".
> > If the force-check/removal is moved up, it does not crash (but has no
> > effect - force is not used)
> > What happens currently is that the substring in globalize becomes empty,
> > since gsub will cut the input at first "(". This is the result:
> >
> > m("")(m("default") or m("vuln"))
> Yes the substring becomes empty but this will not trigger the bug.
>
> This bug was present before this patch, you can test it with this:
> --script="foo(default and vuln)"

There is no vulnerability here. The parser should probably emit an
error but I'm not sure it's worth it.

-- 
- Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/