Re: http-php-version output

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 25/11/2010 16:08, Rob Nicholls a écrit :
> I'm slowly working my way through every version of PHP 5 on Windows (just
> the 5.3.x variants left now!) to generate some new hashes for the script.
> This has led to quite a few "duplicate" values because we're also listing OS
> specific variants such as "5.2.4-2ubuntu5.10" and "5.2.12-0dotdeb.1" when
> there's already an existing value of "5.2.4" and "5.2.9 - 5.2.14" against
> exactly the same respective hashes.
>
> Would it be okay to ditch the OS variant? Would people be happy knowing that
> it matches a particular version of PHP rather than
> 5.2.4.%everyLinuxVariantSomeoneSpots%?
>
> For example, I'd change:
>
> ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0", "5.2.0-8-etch13 -
> 5.2.0-8-etch16"},
> to
> ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0"},
>
> I don't think we've lost anything by removing it. We certainly don't gain
> anything, except perhaps confusion (especially when testing a Windows host),
> by having the Debian variant listed.
>
> Also, would people find it more useful having:
>
> {"5.2.9 - 5.2.14"}
> Or
> {"5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.2.13", "5.2.14"}
>
> I think that's the worst case example if they're expanded.
>
> I don't particularly like the idea of 5.2.x as it feels vague (I know that
> more specific, typically lower, versions are detected due to their different
> hashes). Grouping them together works, but the script inconsistently uses
> dashes and "to" - I propose replacing them all with dashes if we go this
> route, which is more consistent with Nmap's OS detection, e.g. "Linux 2.6.13
> - 2.6.31".
>
> Having all of the version numbers listed separately could be useful for
> people that want to look up known vulnerabilities in specific versions,
> without having to parse "4.4.2 - 4.4.4" to spot "4.4.3" in the middle.
>
> I'm leaning towards grouping them though. Thoughts?
>
> Rob
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
I totally agree. The fact is that, when I wrote this script I 've
collected the first fingerprints by -iR 100's thousand of hosts:
installing every PHP versions sounded too loooong for a first release
with an acceptable bunch of fingerprints. A great thank for the job
you're doing here !

The explanation about the different distributions versions is exactly
the one David gives and, of course, I think they should be removed once
a given fingerprint is proved to be a common one.

And I also think that "5.2.9 - 5.2.14" should be a standard format (once
a given fingerprint is also proved to cover the whole subversions
range). Having the subversions numbers "dashed" or listed is, I think,
the same for a future script or derivated tool: with a range, and if the
dash-notation is the standard, a little mathematics and a loop make it
easy to retrieve the list.

Thanks again !

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkzum8MACgkQ3aDTTO0ha7g3CgCghE17rc/T4ATlZIXBDEFmGmeN
aTMAn1zBh/ZduQ41+emtOBHPoRLaySYs
=lYuP
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/