Nmap Development mailing list archives
Re: [NSE] new script - http-vlc
From: David Fifield <david () bamsoftware com>
Date: Fri, 7 Sep 2012 07:46:44 -0700
On Fri, Jul 27, 2012 at 12:38:09PM -0700, David Fifield wrote:
On Thu, Jul 26, 2012 at 05:25:46AM -0700, Alex Weber wrote:Hi list, https://raw.github.com/AlexWebr/nse/master/http-vlc.nse Looks for VLC with an open web interface and tries to get the title/artist of the currently playing media. Also detects an old VLC bug - in version 1.* (fixed now), if you enabled web access, the default access list specified local connections only, but the (XML) API was still accessible remotely. -- @output -- PORT STATE SERVICE -- 80/tcp open http -- 8080/tcp open http-proxy -- | http-vlc: -- | VLC web interface (XML API) found -- | Old/insecure version of VLC! XML API access available, -- | even though web interface is configured for local access only. -- |_ -> Nothing playing right now Comments welcome - this was written at 3am, and could very well be unneeded/stupid/incomplete.Hi Alex, thanks for this script. I'm curious to see what the above output looks like in addition to version detection (-sV)?
This script isn't working for me with VLC 2.0.3. I started it like this: $ vlc --extraintf http VLC media player 2.0.3 Twoflower (revision 2.0.2-93-g77aa89e) [0x9bb108] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [0xa87168] [http] lua interface: Lua HTTP interface The script is looking for XML like this: <title><![CDATA[...]]></title> But I get this from /requests/status.xml: <info name='title'>...</info> I also think it's a bit confusing the way this script is doing two things. 1. It retrieves /requests/status.xml to extract "now playing" from the XML. 2. If (1) succeeds, then it additionally retrieves /; if the first HTTP request works but the second fails, we notify of a VLC bug. The "now playing" is reasonable enough for a script. The access permission bug should be a separate script, I think, but only if it's important enough to have had a vulnerability advisory. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] new script - http-vlc Alex Weber (Jul 26)
- Re: [NSE] new script - http-vlc David Fifield (Jul 27)
- Re: [NSE] new script - http-vlc David Fifield (Sep 07)
- Re: [NSE] new script - http-vlc Alex Weber (Sep 07)
- Re: [NSE] new script - http-vlc David Fifield (Sep 07)
- Re: [NSE] new script - http-vlc David Fifield (Jul 27)