Re: hexify() problem in http-passwd.nse

[Joao Correa <joao () livewire com br>]

I've just realized that the script is for trying to retrieve the
passwd file using the path as a parameter to a web page (described as
<code>/etc/passwd</code> on the comments) and not directly as a URI,
making necessary the use of hexed chars.

Sorry about the previous e-mail.
João Correa

On Sat, May 30, 2009 at 5:41 AM, Joao Correa <joao () livewire com br> wrote:
> Hello guys,
>
> I've been testing the script http-passwd.nse and I've found the
> following problem:
>
> The script uses a function called hexify to transform the address into
> a URI encoded address, including transformations to the "/" (slashes),
> making it something like "www.address.com%2F%2Fetc%22Fpasswd" . I've
> noticed that the apache server where I've been making tests was always
> returning 404 error to such request. I've removed the hexify function,
> and the script started working perfectly.
>
> I believe that such request (with hexed "/") was valid somewhere ago
> in time and was not recently tested, or is valid in another web
> server, what justifies the use of the hex function. Anyway, according
> to RFC 3986 [1], that dates from 2005, the substitution of %2F (hex
> encoding of "/") is not equivalent to /, since it is a reserved
> character.
>
> In time, setting the hexify function to replace "/" for %252f make it
> work fine again. Anyway %25 means "%" and I think that such
> substitution is quite redundant.
>
> I'm thinking about removing the hexify function from the scripts, but
> I don't know if it will affect any other web server.
>
> Do someone uses this script daily or in a different web server and
> have any consideration?
>
> Thank you!
> João Correa
>
> [1] - http://tools.ietf.org/html/rfc3986#section-2.2

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org