Nmap Development mailing list archives

Re: Port specification in the location data returned from http-headers and html-title.nse

From: David Fifield <david () bamsoftware com>
Date: Mon, 9 Nov 2009 13:28:37 -0700

On Thu, Oct 15, 2009 at 05:56:41PM -0500, Tom Sellers wrote:

This email is a combination of a request for comments as well as a
reminder for myself.

Some time ago I noticed that the html-title.nse script did not return
the proper value for location when it was run against a web server
running on a port other than 80.

For example:

      nmap -sV --script=html-title.nse -p 8080 www.someserver.com

would return this

      8080/tcp open  http    Apache httpd 2.0.46 ((Red Hat))
      |  html-title: My Site
      |_ Requested resource was http://www.someserver.com/


That last line should actually be

      |_ Requested resource was http://www.someserver.com:8080/

I noticed this due to a service I was seeing on a regular basis that
redirects via a HTTP 302 to a subdirectory on the same host and port.

Digging around a bit I see what I think is the cause in http.lau at
the following lines in the "buildGet" function:

      header = {
-->     Host = get_hostname(host),
        ["User-Agent"]  = "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
      }

When building the headers to send the hostname is set, but the port
number is not on it. The value of the Host: header is returned as part
of the Location server header. The result trickles down in the
Location values of a couple scripts like html-title.nse and
http-headers.nse.

I did some preliminary testing and found that changing the line to

      Host = get_hostname(host) .. port.number,

corrected the problem without breaking anything.


Thanks, Tom. Your analysis is correct. However I think you meant

        Host = get_hostname(host) .. ":" .. port.number,

I committed something like this in r16030. The port number is appended
to the value whenever it is not equal to 80.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Port specification in the location data returned from http-headers and html-title.nse Tom Sellers (Oct 15)
- Re: Port specification in the location data returned from http-headers and html-title.nse David Fifield (Nov 09)
  - Re: Port specification in the location data returned from http-headers and html-title.nse Tom Sellers (Nov 09)