RE: http-php-version output

["Rob Nicholls" <robert () robnicholls co uk>]

Thanks to both of you for your feedback! I've updated the script and will
commit it shortly.

I've attached a file with all the hashes that were generated, in case anyone
wants to go back and verify something. I started with IIS 7.5 using FastCGI.
Versions prior to 5.2.1 didn't seem too happy with IIS 7.5 so to save time I
quickly moved to Apache 2.0 with PHP as CGI.

I have concerns over some of the remaining hashes, particularly 4.3.1
against the bunny rabbit logo (as it should fall into the brown dog in grass
logo range). The only place I've seen it mentioned is at
http://webinfopedia.blogspot.com/2007/11/php-easter-egg.html where the
person admits it's not taken from their server (so I presume it could be
wrong/spoofed). Is it worth me tidying up the logo hashes based on the
0php.com info?

Also, it seems that PHP4u 3.0 is based on PHP 4.3.2. Is it worth keeping the
PHP4u variant? Or can we let it match against 4.3.2?

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Gutek
Sent: 25 November 2010 17:24
To: Rob Nicholls
Cc: nmap-dev () insecure org
Subject: Re: http-php-version output

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 25/11/2010 16:08, Rob Nicholls a écrit :
> I'm slowly working my way through every version of PHP 5 on Windows 
> (just the 5.3.x variants left now!) to generate some new hashes for the
script.
> This has led to quite a few "duplicate" values because we're also 
> listing OS specific variants such as "5.2.4-2ubuntu5.10" and 
> "5.2.12-0dotdeb.1" when there's already an existing value of "5.2.4" 
> and "5.2.9 - 5.2.14" against exactly the same respective hashes.
>
> Would it be okay to ditch the OS variant? Would people be happy 
> knowing that it matches a particular version of PHP rather than 
> 5.2.4.%everyLinuxVariantSomeoneSpots%?
>
> For example, I'd change:
>
> ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0", "5.2.0-8-etch13 - 
> 5.2.0-8-etch16"}, to ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0"},
>
> I don't think we've lost anything by removing it. We certainly don't 
> gain anything, except perhaps confusion (especially when testing a 
> Windows host), by having the Debian variant listed.
>
> Also, would people find it more useful having:
>
> {"5.2.9 - 5.2.14"}
> Or
> {"5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.2.13", "5.2.14"}
>
> I think that's the worst case example if they're expanded.
>
> I don't particularly like the idea of 5.2.x as it feels vague (I know 
> that more specific, typically lower, versions are detected due to 
> their different hashes). Grouping them together works, but the script 
> inconsistently uses dashes and "to" - I propose replacing them all 
> with dashes if we go this route, which is more consistent with Nmap's 
> OS detection, e.g. "Linux 2.6.13
> - 2.6.31".
>
> Having all of the version numbers listed separately could be useful 
> for people that want to look up known vulnerabilities in specific 
> versions, without having to parse "4.4.2 - 4.4.4" to spot "4.4.3" in the
middle.
> I'm leaning towards grouping them though. Thoughts?
>
> Rob
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list 
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
I totally agree. The fact is that, when I wrote this script I 've collected
the first fingerprints by -iR 100's thousand of hosts:
installing every PHP versions sounded too loooong for a first release with
an acceptable bunch of fingerprints. A great thank for the job you're doing
here !

The explanation about the different distributions versions is exactly the
one David gives and, of course, I think they should be removed once a given
fingerprint is proved to be a common one.

And I also think that "5.2.9 - 5.2.14" should be a standard format (once a
given fingerprint is also proved to cover the whole subversions range).
Having the subversions numbers "dashed" or listed is, I think, the same for
a future script or derivated tool: with a range, and if the dash-notation is
the standard, a little mathematics and a loop make it easy to retrieve the
list.

Thanks again !

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkzum8MACgkQ3aDTTO0ha7g3CgCghE17rc/T4ATlZIXBDEFmGmeN
aTMAn1zBh/ZduQ41+emtOBHPoRLaySYs
=lYuP
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: php-5-hashes.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/