Re: [NSE] False positive - http-huawei-hg5xx-vuln.nse

[Tom Sellers <nmap () fadedcode net>]

On 7/3/2012 9:10 PM, tom () fadedcode net wrote:
> The script - http-huawei-hg5xx-vuln.nse [1] - detects a vulnerability in Huawei modem and also performs service 
> detection by checking response to certain HTTP queries.
> A false positive is generated when it scans a HTTP server that return a 200 response code to every request.  Certain 
> devices, such as Cisco ASAs and some Oracle httpd services,  tend to do this.  You
> can test this by scanning the HTTPS port on a Cisco ASA that is providing SSL VPN service.  You find a couple of 
> these to test with using a Google search [2].
>
> I have attached a patch that will use the http library's identify_404 function and detect httpds that respond with 
> 200 when queried for non-existent documents.  There are a couple of other scripts [3]
> that have a similar problem and I will fix them if the patch passes review.
>
> Thank much,
>
> Tom Sellers
>
>
> 1. http://nmap.org/nsedoc/scripts/http-huawei-hg5xx-vuln.html
> 2. allintitle: "SSL VPN Service"
> 3. http-cakephp-version,  http-malware-host,  http-method-tamper

I have committed the changes to:

http-cakephp-version
http-default-accounts
https-huawei-hg5xx-vuln  ( adjusted again for output consistency )
http-malware-hosts
http-method-tamper
membase-http-info
riak-http-info


The change reduces network traffic, false positives, invalid credentials and script output.  In my case it restores the 
ability to search script output when searching data generated against 100k hosts.

Thanks much,

Tom Sellers
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/