Re: [NSE] Changes to http-auth

[Patrik Karlsson <patrik () cqure net>]

On Mon, Dec 19, 2011 at 3:47 PM, Rob Nicholls <robert () robnicholls co uk>wrote:

> I've taken a slightly closer look and I think the existing http.lua can
> cope
> without the quotes.
>
> But I get the impression that http.lua is struggling to deal with more than
> one scheme in the WWW-Authenticate header. I think something's not quite
> right with the parsing, probably some kind of off-by-one problem. I briefly
> tried playing around with the code, which got it sort of working for the
> header Patrik supplied, but then I was off-by-one in another place (I don't
> think the comma is being properly taken into account after the name of the
> scheme, but if you try to increment it there then other tokens can get
> screwed up later on). It's not my code, so I'm finding it hard to follow
> exactly what's going on. I might take another stab later, but I can't spend
> any more time on it right now.
>
> Rob
Thanks for looking into this Rob. I figured out what the problem was and it
had to do with authentication schemes that did not contain any parameters.
The read_auth_challenge would fail if no params were present. As my servers
supported both Kerberos and NTLM, which both don't have any parameters in
addition to the scheme, parsing would fail.

I'm hoping the patch I committed in r27560 solves this problem. I've also
committed a new version of http-auth r27561 that takes this fact into
account and contains some other cosmetic changes, and Duarte's path
addition.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/