RE: [NSE] Changes to http-auth

["Rob Nicholls" <robert () robnicholls co uk>]

I've taken a slightly closer look and I think the existing http.lua can cope
without the quotes.

But I get the impression that http.lua is struggling to deal with more than
one scheme in the WWW-Authenticate header. I think something's not quite
right with the parsing, probably some kind of off-by-one problem. I briefly
tried playing around with the code, which got it sort of working for the
header Patrik supplied, but then I was off-by-one in another place (I don't
think the comma is being properly taken into account after the name of the
scheme, but if you try to increment it there then other tokens can get
screwed up later on). It's not my code, so I'm finding it hard to follow
exactly what's going on. I might take another stab later, but I can't spend
any more time on it right now.

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Rob Nicholls
Sent: 19 December 2011 07:48
To: 'Patrik Karlsson'; 'nmap-dev'
Subject: RE: [NSE] Changes to http-auth

My guess is that the charset bit of the string might be causing problems
with the parsing, as all the rest are quoted string values? A quick look at
http.lua suggests to me that we assume that the value is a quoted string as
per the RFC.

http://www.ietf.org/rfc/rfc2617.txt suggests that it should either be a
token or a quoted string.

I suspect we need to make read_auth_challenge or read_token_or_quoted_string
a bit more flexible to cope with non-compliant headers?

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Patrik Karlsson
Sent: 19 December 2011 07:02
To: Patrik Karlsson; nmap-dev
Subject: Re: [NSE] Changes to http-auth

On Mon, Dec 19, 2011 at 1:22 AM, David Fifield <david () bamsoftware com>wrote:

> On Sat, Dec 17, 2011 at 10:46:15PM +0100, Patrik Karlsson wrote:
> > Hi all,
> >
> > I've reworked the http-auth to handle multiple Authentication 
> > headers
> being
> > returned from the server.
>
> Didn't it work that way before? The http library should join together 
> multiple headers with a comma, and http.parse_www_authenticate should 
> know how to deal with that. Manually parsing answer.rawheader seems 
> wrong--http.parse_header does that already, including some tricky 
> cases.
>
> I tested locally against a dummy server offering Basic and Digest and 
> it worked before your patch. What did you run into that caused you to 
> have to change it?
>
> ncat -l 8080 --sh-exec 'cat auth.http' -k
>
> David Fifield

Ok, I reverted my patch just now, but it doesn't work anymore for me, this
is what I get:
| Server returned status 401 but the WWW-Authenticate header could not 
| be
parsed.
|_WWW-Authenticate: Negotiate, NTLM, Digest
qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1e4e256b4afb7f89b4eb43b241bb
ecc019ac8910c0451d75eda21f0a01b277e4dd0ec235788fb373269ed29fa7da630b1",chars
et=utf-8,realm="
example.com", Basic realm="example.com"

It seems to fail in http.parse_www_authenticate as far as I can tell. I'll
see if I can look into it later.

Cheers,
Patrik
--
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/