Nmap Development mailing list archives
Re: http-php-version output
From: Gutek <ange.gutek () gmail com>
Date: Thu, 25 Nov 2010 18:24:19 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 25/11/2010 16:08, Rob Nicholls a écrit :
I'm slowly working my way through every version of PHP 5 on Windows (just the 5.3.x variants left now!) to generate some new hashes for the script. This has led to quite a few "duplicate" values because we're also listing OS specific variants such as "5.2.4-2ubuntu5.10" and "5.2.12-0dotdeb.1" when there's already an existing value of "5.2.4" and "5.2.9 - 5.2.14" against exactly the same respective hashes. Would it be okay to ditch the OS variant? Would people be happy knowing that it matches a particular version of PHP rather than 5.2.4.%everyLinuxVariantSomeoneSpots%? For example, I'd change: ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0", "5.2.0-8-etch13 - 5.2.0-8-etch16"}, to ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0"}, I don't think we've lost anything by removing it. We certainly don't gain anything, except perhaps confusion (especially when testing a Windows host), by having the Debian variant listed. Also, would people find it more useful having: {"5.2.9 - 5.2.14"} Or {"5.2.9", "5.2.10", "5.2.11", "5.2.12", "5.2.13", "5.2.14"} I think that's the worst case example if they're expanded. I don't particularly like the idea of 5.2.x as it feels vague (I know that more specific, typically lower, versions are detected due to their different hashes). Grouping them together works, but the script inconsistently uses dashes and "to" - I propose replacing them all with dashes if we go this route, which is more consistent with Nmap's OS detection, e.g. "Linux 2.6.13 - 2.6.31". Having all of the version numbers listed separately could be useful for people that want to look up known vulnerabilities in specific versions, without having to parse "4.4.2 - 4.4.4" to spot "4.4.3" in the middle. I'm leaning towards grouping them though. Thoughts? Rob _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
I totally agree. The fact is that, when I wrote this script I 've collected the first fingerprints by -iR 100's thousand of hosts: installing every PHP versions sounded too loooong for a first release with an acceptable bunch of fingerprints. A great thank for the job you're doing here ! The explanation about the different distributions versions is exactly the one David gives and, of course, I think they should be removed once a given fingerprint is proved to be a common one. And I also think that "5.2.9 - 5.2.14" should be a standard format (once a given fingerprint is also proved to cover the whole subversions range). Having the subversions numbers "dashed" or listed is, I think, the same for a future script or derivated tool: with a range, and if the dash-notation is the standard, a little mathematics and a loop make it easy to retrieve the list. Thanks again ! A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkzum8MACgkQ3aDTTO0ha7g3CgCghE17rc/T4ATlZIXBDEFmGmeN aTMAn1zBh/ZduQ41+emtOBHPoRLaySYs =lYuP -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-php-version output Rob Nicholls (Nov 26)
- Re: http-php-version output Gutek (Nov 26)
- RE: http-php-version output Rob Nicholls (Nov 26)
- Re: http-php-version output David Fifield (Nov 27)
- RE: http-php-version output Rob Nicholls (Nov 26)
- Re: http-php-version output David Fifield (Nov 26)
- Re: http-php-version output Gutek (Nov 26)