Nmap Development mailing list archives
Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass"
From: David Fifield <david () bamsoftware com>
Date: Wed, 12 Oct 2011 00:06:36 -0700
On Mon, Oct 10, 2011 at 02:34:09PM -0700, Paulino Calderon wrote:
Hi, I don't have access to a vulnerable installation but I wanted to share a couple of things I noticed: * portrule = shortport.service("http") It should be portrule = shortport.http if you want it to run against https servers as well. * If the pipeline is empty, it will crash. Add a return after the check: if not bypass_request then stdnse.print_debug(1, "%s : got no answers from pipelined queries", SCRIPT_NAME) return end Otherwise we get a crash with the trace: http-reverseproxy-bypass.nse:69: attempt to get length of local 'bypass_request' (a nil value) I think this is a good idea for a NSE script. I'll setup a vulnerable installation and report results later.
I also like this script. Let us know how testing goes, Paulino, and if favorable we'll add it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" David Fifield (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 05)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 17)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)