Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http-litespeed-sourcecode-download

From: Fyodor <fyodor () insecure org>
Date: Thu, 21 Jul 2011 03:14:05 -0700
On Fri, Jul 15, 2011 at 06:25:32PM -0700, Paulino Calderon wrote:


description = [[
http-litespeed-sourcecode-download.nse exploits a null-byte poisoning 
vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve 
the target script's source code by sending a HTTP request with a null 
byte followed by a .txt file extension (CVE-2010-2333).


Thanks Paulino.  Here are some suggestions:

o It needs an @output example--that section is currently empty.

o Ideally it should try to detect the vulnerability even if the user
  doesn't specify http-litespeed-sourcecode-download.uri.  Otherwise
  far fewer people will ever make use of this script.  Allowing the
  file to be specified is great for exploiting the bug, but it would
  be nice to find a way to detect it without requiring that.

o I know you are looking for ways to test it out on a real system, so
  I hope that goes well.

o It returns an error if the uri option is not specified, but people
  do things like "--script vuln" all the time and we don't want an
  error message showing for each host.  Ideally though, the fix will
  be to do useful things (e.g. detect the vuln) even without requiring
  the argument.

o The name http-litespeed-sourcecode-download is pretty long, and it
  doesn't even contain "vuln" or the CVE number.  But it includes a lot
  of other good details.  So I can't think of any name that I think is
  clearly better.  So this is probably OK.

o The @usage example gives the argument name as
  http-litespeed-sourcecode-download.file, but in the @args section
  and in the actual code it is .uri rather than .file.

o Even though the filename doesn't have a CVE number, the output
  should probably include it.  As I mentioned with
  http-axis2-dir-traversal, we should aim to report this in a
  reasonably common way (even though we don't have the special vuln
  reporting library yet).

I hope this helps.  Feel free to check it in if you can address these
issues and nobody else finds any other ones.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: