Nmap Development mailing list archives
Re: script category selection bug - was: Script force
From: Patrick Donnelly <batrick () batbytes com>
Date: Mon, 5 Dec 2011 12:18:50 -0500
On Mon, Dec 5, 2011 at 10:38 AM, Djalal Harouni <tixxdz () opendz org> wrote:
On Sat, Dec 03, 2011 at 10:41:47PM +0100, Martin Holst Swende wrote:On 12/01/2011 11:47 PM, Djalal Harouni wrote:On Tue, Nov 29, 2011 at 03:11:32PM -0800, David Fifield wrote:I also tried +(default or vuln) I didn't really expect it to work. This was the output: NSE: failed to initialize the script engine: [string "rule"]:1: attempt to call a boolean valueWe can also support this but it will need more regexp checks, perhaps we should just let users specify "+default or +vuln" as suggested by Fyodor. I'll try to have a look at this error.Currently, there is an error since the globalized_rule is created on the "+(default or vuln)" string instead of "(default or vuln)". If the force-check/removal is moved up, it does not crash (but has no effect - force is not used) What happens currently is that the substring in globalize becomes empty, since gsub will cut the input at first "(". This is the result: m("")(m("default") or m("vuln"))Yes the substring becomes empty but this will not trigger the bug. This bug was present before this patch, you can test it with this: --script="foo(default and vuln)"
There is no vulnerability here. The parser should probably emit an error but I'm not sure it's worth it. -- - Patrick Donnelly _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Script force, (continued)
- Re: Script force Martin Holst Swende (Dec 07)
- Re: Script force Patrick Donnelly (Dec 07)
- Re: Script force Martin Holst Swende (Dec 07)
- Re: Script force Martin Holst Swende (Dec 07)
- Re: Script force Martin Holst Swende (Dec 11)
- Re: Script force Djalal Harouni (Dec 11)
- Re: Script force Martin Holst Swende (Dec 13)
- Re: Script force Patrik Karlsson (Dec 16)
- Re: Script force Fyodor (Dec 19)
- Re: script category selection bug - was: Script force Djalal Harouni (Dec 05)
- Re: script category selection bug - was: Script force Patrick Donnelly (Dec 05)
- Re: script category selection bug - was: Script force Djalal Harouni (Dec 05)