Re: [nse] #212 - http.get_url makes plain text request for HTTPS urls

[jah <jah () zadkiel plus com>]

On 18/09/15 05:19, Daniel Miller wrote:
> jah,
>
> Thanks for the report. Very thorough! I added port.state = "open" to get_url in r35251. I think this is enough to fix 
> the issue. We can do an audit later to determine if any other scripts or functions pass a constructed port table 
> without a state to comm.tryssl or shortport.ssl.
>
> Dan
Dan,

I wasn't thorough enough!  It turns out that port.protocol is also necessary for shortport.ssl to perform its tests. 
Specifically, it needs either {number, protocol and state} or {service, protocol and state}.

When comm.bestoption is supplied with a numeric port argument, it will construct a port table for shortport.ssl on 
which it sets some default values: protocol="tcp", state="open" and version={}.

The attached extends comm.bestoption to do a similar thing when the port arg is a table. Specifically it makes a 
partial copy of the port table and provides default values for state, protocol and version in the same way as for 
numerical port args.

The patch also reverts r35251 so that comm.bestoption would be solely responsible for coercing a port for testing by 
shortport.ssl. I've tested the patch and can confirm the changes prevent the plaintext request for HTTPS urls.

jah

Attachment: nselib-ssl.patch
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/