Re: .htaccess + php sec bypass

[David Fifield <david () bamsoftware com>]

On Fri, Aug 17, 2012 at 05:19:42PM -0500, Paulino Calderon wrote:
> On 04/08/2012 08:11 p.m., Paulino Calderon wrote:
> > On 30/07/2012 07:49 p.m., Arturo 'Buanzo' Busleiman wrote:
> > > Hey, thank you MK!
> > >
> > > On Mon, Jul 30, 2012 at 8:24 PM, Matias Katz<matias () matiaskatz com>  wrote:
> > > > If you need any feedback from me, please ask. I'd be happy to reply, and
> > > > help in any part of the script writing process :)
> >
> > I've looked into this tool and realized that we sort of have a
> > similar script that can accomplish this task. The tool released in
> > BH basically attempts to access a resource using a non-existing
> > HTTP method (AKA HTTP verb tampering). Not too long ago, Hani
> > released http-method-tamper which performs a similar test but is
> > focused on the JBoss vulnerablity (CVE-2010-0738).
> >
> > I'm attaching a new version of the script http-method-tamper. It
> > has the following advantages over the previous version:
> > * Supports http spidering. The idea is that users can run the
> > script with no arguments and it will crawl the webserver, identify
> > protected resources and attempt to bypass the authentication.
> > * Supports checks to specific paths. If a user know what paths
> > need to be checked, we can do so by setting an argument. No
> > spidering is done when we specify paths.
> > * The test to identify the vulnerability is more comprehensive in
> > this script. First, we try with "HEAD", then "POST" and finally a
> > random string (Non-existing method) as the HTTP verbs.
> >
> > IMO the existing script works perfectly for checking CVE 2010-0738
> > but since this is a general check, the specific JBoss information
> > should be moved a separate script.
> >
> > Feel free to test it against my test installation at 106.187.53.215:
> > nmap -p80 --script http-method-tamper --script-args
> > paths=/method-tamper/protected/pass.txt 106.187.53.215
>
> Did anyone have a chance to test this update? What are your opinions
> regarding these two scripts and their names?
>
> Recap:
> 1.- Current http-method-tamper does not detect misconfigured
> htaccess files and seems to be too specific for that jboss vuln.
> 2.- New script has spidering support and improved detecting. But I'm
> hesitant to name it  as the old one "http-method-tamper" as users
> might unintentionally crawl webservers thinking it still works as
> before.
>
> Feel free to try against the test server mentioned above.

I can see the value in spidering to find paths but it's also useful for
a script to have a list of paths like /jmx-console that are good
candidates to test.

You can commit your new http-method-tamper with spidering, however it
should not be in the safe category.

Move the existing http-method-tamper to something named after the
vulnerability advisory, and leave it in safe.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/