Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: hexify() problem in http-passwd.nse
From: Joao Correa <joao () livewire com br>
Date: Sat, 30 May 2009 05:50:02 -0300

I've just realized that the script is for trying to retrieve the
passwd file using the path as a parameter to a web page (described as
<code>/etc/passwd</code> on the comments) and not directly as a URI,
making necessary the use of hexed chars.

Sorry about the previous e-mail.
João Correa

On Sat, May 30, 2009 at 5:41 AM, Joao Correa <joao () livewire com br> wrote:
Hello guys,

I've been testing the script http-passwd.nse and I've found the
following problem:

The script uses a function called hexify to transform the address into
a URI encoded address, including transformations to the "/" (slashes),
making it something like "www.address.com%2F%2Fetc%22Fpasswd" . I've
noticed that the apache server where I've been making tests was always
returning 404 error to such request. I've removed the hexify function,
and the script started working perfectly.

I believe that such request (with hexed "/") was valid somewhere ago
in time and was not recently tested, or is valid in another web
server, what justifies the use of the hex function. Anyway, according
to RFC 3986 [1], that dates from 2005, the substitution of %2F (hex
encoding of "/") is not equivalent to /, since it is a reserved
character.

In time, setting the hexify function to replace "/" for %252f make it
work fine again. Anyway %25 means "%" and I think that such
substitution is quite redundant.

I'm thinking about removing the hexify function from the scripts, but
I don't know if it will affect any other web server.

Do someone uses this script daily or in a different web server and
have any consideration?

Thank you!
João Correa

[1] - http://tools.ietf.org/html/rfc3986#section-2.2


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]