Re: NSE Script http-methods.nse

[Patrik Karlsson <patrik () cqure net>]

On 23 feb 2010, at 17.40, David Fifield wrote:

> On Tue, Feb 23, 2010 at 02:00:28PM +0100, Patrik Karlsson wrote:
> > I just ran the script against an IIS 6.0 of mine and noticed that it wasn't detecting PUT which I had enabled.
> > The reason for this is that PUT appears in the Public HTTP header rather than in the Allow header.
> >
> > In my case the response to the OPTIONS request looks like this:
> > HTTP/1.1 200 OK
> > Connection: close
> > Date: Tue, 23 Feb 2010 12:45:47 GMT
> > Server: Microsoft-IIS/6.0
> > X-Powered-By: ASP.NET
> > MS-Author-Via: DAV
> > Content-Length: 0
> > Accept-Ranges: none
> > DASL: <DAV:sql>
> > DAV: 1, 2
> > Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
> > Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
> > Cache-Control: private
> >
> > Here's some more info on the Public header:
> > http://www.w3.org/Protocols/HTTP/Object_Headers.html#public
> >
> > Maybe the contents of the Public and Allow headers should be merged?
>
> RFC 2616, the definition of HTTP/1.1, says in section 19.6.3,
>
>       The Alternates, Content-Version, Derived-From, Link, URI, Public
>       and Content-Base header fields were defined in previous versions
>       of this specification, but not commonly implemented. See RFC 2068.
>
> RFC 2068, which is an earlier draft of RFC 2616, says this about Public
> in section 14.35
>
>       The Public response-header field lists the set of methods
>       supported by the server. The purpose of this field is strictly to
>       inform the recipient of the capabilities of the server regarding
>       unusual methods. The methods listed may or may not be applicable
>       to the Request-URI; the Allow header field (section 14.7) MAY be
>       used to indicate methods allowed for a particular URI.
>
> So yes, I think it's a good idea to merge the fields. It should have a
> comment saying that Public was withdrawn in RFC 2616, but is implemented
> by at least IIS 6.0.
>
> Out of curiosity, what does this server return for the request
>
> OPTIONS * HTTP/1.0

An identical public and allow line it appears:

OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Feb 2010 17:58:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Accept-Ranges: bytes
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private

> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/