Call for testing: httpd.lua, an Ncat's --lua-exec script

[Jacek Wielemborek <wielemborekj1 () gmail com>]

Hi guys,

Yesterday I finally merged the httpd.lua server into Ncat SVN trunk.
httpd.lua is a tiny HTTP server that makes use of --lua-exec feature
introduced in the recently released Ncat 6.40. You can use it to
easily share files on the network and with Ncat's built-in SSL, it can
run HTTPS as well. Here are its features:

* Supports basic GET requests within the script's walking directory,
* Lets you easily add your MIME types based on filename extensions
(currently only recognizes HTML files),
* Correctly handles URL-encoded filenames,
* Protects against directory traversal attacks,
* Protects against attacks involving overlong UTF-8 sequences

...all that in just 318 lines of code (including quite a lot of
comments and blanks). Note that it doesn't support indexing, because
it was impossible to implement it in a portable way in Lua without
adding external dependencies.

To run this script, use Ncat's --lua-exec functionality like this:

ncat --lua-exec httpd.lua --listen

Note that you need Ncat 6.40 or later (for example, SVN trunk) for that to work.

Although me and David did quite a lot of experimenting to make it
secure, it would definitely use some testing. This is why I'd like you
guys to try some tricks to make sure you can't perform path traversal
or some other nasty attack. Windows testers are welcome too; I'm not
sure if the resource validation is perfect there since I don't know
this OS that well. Also, please try copying some weird binary  and/or
large files and check their MD5 sums. I expect it all to be fine,
though.

As always, feedback is more than welcome! :)

Yours,
Jacek Wielemborek
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/