Nmap Development mailing list archives
[NSE] Error handling in http-default-accounts-fingerprints
From: nnposter () users sourceforge net
Date: Fri, 26 Jul 2013 22:38:25 +0000
The following patch allows http-default-accounts-fingerprints.lua to correctly handle cases where the HTTP response completely fails, such as by receiving RST or FIN after submitting the HTTP request. Without this patch such cases are misinterpreted as authentication successes due to the fact that req.status is nil. Cheers, nnposter Patch against revision 31543 follows: --- nselib/data/http-default-accounts-fingerprints.lua.orig 2013-07-26 16:05:14.859375000 -0600 +++ nselib/data/http-default-accounts-fingerprints.lua 2013-07-26 16:13:23.656250000 -0600 @@ -29,7 +29,7 @@ local function try_http_basic_login(host, port, path, user, pass, digest_auth) local credentials = {username = user, password = pass, digest = digest_auth} local req = http.get(host, port, path, {no_cache=true, auth=credentials, redirect_ok = false}) - if req.status ~= 401 and req.status ~= 403 then + if req.status and req.status ~= 401 and req.status ~= 403 then return true end return false @@ -49,7 +49,8 @@ local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects) local req = http.post(host, port, path..target, {no_cache=true}, nil, params) - local status = ( req and tonumber(req.status) ) or 0 + if not req.status then return false end + local status = tonumber(req.status) or 0 if follow_redirects and ( status > 300 and status < 400 ) then req = http.get(host, port, url.absolute(path, req.header.location), { no_cache = true, redirect_ok = false }) end _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Error handling in http-default-accounts-fingerprints nnposter (Jul 26)
- Re: [NSE] Error handling in http-default-accounts-fingerprints George Chatzisofroniou (Jul 28)