mailing list archives
Re: [NSE] Changes to http-auth
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 19 Dec 2011 19:44:16 +0100
On Mon, Dec 19, 2011 at 3:47 PM, Rob Nicholls <robert () robnicholls co uk>wrote:
I've taken a slightly closer look and I think the existing http.lua can
without the quotes.
But I get the impression that http.lua is struggling to deal with more than
one scheme in the WWW-Authenticate header. I think something's not quite
right with the parsing, probably some kind of off-by-one problem. I briefly
tried playing around with the code, which got it sort of working for the
header Patrik supplied, but then I was off-by-one in another place (I don't
think the comma is being properly taken into account after the name of the
scheme, but if you try to increment it there then other tokens can get
screwed up later on). It's not my code, so I'm finding it hard to follow
exactly what's going on. I might take another stab later, but I can't spend
any more time on it right now.
Thanks for looking into this Rob. I figured out what the problem was and it
had to do with authentication schemes that did not contain any parameters.
The read_auth_challenge would fail if no params were present. As my servers
supported both Kerberos and NTLM, which both don't have any parameters in
addition to the scheme, parsing would fail.
I'm hoping the patch I committed in r27560 solves this problem. I've also
committed a new version of http-auth r27561 that takes this fact into
account and contains some other cosmetic changes, and Duarte's path
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/