Nmap Development mailing list archives
Re: NSE script: HTTP Internal IP Address Disclosure
From: Patrick Donnelly <batrick () batbytes com>
Date: Wed, 8 Jun 2016 19:20:50 -0400
On Tue, Jun 7, 2016 at 9:05 PM, Patrick Donnelly <batrick () batbytes com> wrote:
On Wed, Jun 1, 2016 at 11:38 AM, Josh Amishav-Zlatin <jamuse () gmail com> wrote:On Tue, May 31, 2016 at 4:44 AM, Patrick Donnelly <batrick () batbytes com> wrote:Hi Josh, On Mon, May 30, 2016 at 6:12 AM, Josh Amishav-Zlatin <jamuse () gmail com> wrote:I attached an NSE script that checks if the remote web server discloses its internal IP address when sending an HTTP/1.0 request without a Host header. While this is a common issue for certain unpatched versions of IIS, other misconfigured web servers can be vulnerable a well.Interesting script idea! Few comments:Hi Patrick, Thanks for the feedback! I made the changes you suggested and attached the updated version. Note, I kept the 'redirectIP' and 'privateIP' variables globally scoped in the generateHttpV1_0Req function, let me know if you see a way to narrow their scope.Josh, I'm planning to merge your script with a few minor modifications soon. Right now I'm fighting with cloning nmap with git+svn (been a while since I've committed!).
Thanks again for your contribution Josh! Committed in r35846. -- Patrick Donnelly _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE script: HTTP Internal IP Address Disclosure Josh Amishav-Zlatin (May 30)
- Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (May 30)
- Re: NSE script: HTTP Internal IP Address Disclosure Josh Amishav-Zlatin (Jun 01)
- Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (Jun 07)
- Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (Jun 08)
- Re: NSE script: HTTP Internal IP Address Disclosure Josh Amishav-Zlatin (Jun 09)
- Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (Jun 09)
- Re: NSE script: HTTP Internal IP Address Disclosure Josh Amishav-Zlatin (Jun 01)
- Re: NSE script: HTTP Internal IP Address Disclosure Patrick Donnelly (May 30)