Nmap Development mailing list archives
Call for testing: httpd.lua, an Ncat's --lua-exec script
From: Jacek Wielemborek <wielemborekj1 () gmail com>
Date: Wed, 4 Sep 2013 17:56:30 +0200
Hi guys, Yesterday I finally merged the httpd.lua server into Ncat SVN trunk. httpd.lua is a tiny HTTP server that makes use of --lua-exec feature introduced in the recently released Ncat 6.40. You can use it to easily share files on the network and with Ncat's built-in SSL, it can run HTTPS as well. Here are its features: * Supports basic GET requests within the script's walking directory, * Lets you easily add your MIME types based on filename extensions (currently only recognizes HTML files), * Correctly handles URL-encoded filenames, * Protects against directory traversal attacks, * Protects against attacks involving overlong UTF-8 sequences ...all that in just 318 lines of code (including quite a lot of comments and blanks). Note that it doesn't support indexing, because it was impossible to implement it in a portable way in Lua without adding external dependencies. To run this script, use Ncat's --lua-exec functionality like this: ncat --lua-exec httpd.lua --listen Note that you need Ncat 6.40 or later (for example, SVN trunk) for that to work. Although me and David did quite a lot of experimenting to make it secure, it would definitely use some testing. This is why I'd like you guys to try some tricks to make sure you can't perform path traversal or some other nasty attack. Windows testers are welcome too; I'm not sure if the resource validation is perfect there since I don't know this OS that well. Also, please try copying some weird binary and/or large files and check their MD5 sums. I expect it all to be fine, though. As always, feedback is more than welcome! :) Yours, Jacek Wielemborek _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Call for testing: httpd.lua, an Ncat's --lua-exec script Jacek Wielemborek (Sep 04)