Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Changes to http-auth
From: David Fifield <david () bamsoftware com>
Date: Mon, 19 Dec 2011 11:17:06 -0800

On Mon, Dec 19, 2011 at 07:44:16PM +0100, Patrik Karlsson wrote:
On Mon, Dec 19, 2011 at 3:47 PM, Rob Nicholls <robert () robnicholls co uk>wrote:

I've taken a slightly closer look and I think the existing http.lua can
cope
without the quotes.

But I get the impression that http.lua is struggling to deal with more than
one scheme in the WWW-Authenticate header. I think something's not quite
right with the parsing, probably some kind of off-by-one problem. I briefly
tried playing around with the code, which got it sort of working for the
header Patrik supplied, but then I was off-by-one in another place (I don't
think the comma is being properly taken into account after the name of the
scheme, but if you try to increment it there then other tokens can get
screwed up later on). It's not my code, so I'm finding it hard to follow
exactly what's going on. I might take another stab later, but I can't spend
any more time on it right now.

Thanks for looking into this Rob. I figured out what the problem was and it
had to do with authentication schemes that did not contain any parameters.
The read_auth_challenge would fail if no params were present. As my servers
supported both Kerberos and NTLM, which both don't have any parameters in
addition to the scheme, parsing would fail.

I'm hoping the patch I committed in r27560 solves this problem. I've also
committed a new version of http-auth r27561 that takes this fact into
account and contains some other cosmetic changes, and Duarte's path
addition.

Thanks for helping to figure this out, everyone. Having zero auth-params
is not allowed according to RFC 2617 section 1.2, which says
        auth-scheme    = token
        auth-param     = token "=" ( token | quoted-string )
        challenge      = auth-scheme 1*SP 1#auth-param
where 1#auth-param means "one or more auth-params separated by commas."
But it seems obvious we should support zero auth-params as well since
Patrik found it in the wild. The http.lua code is based on
http_read_challenge in Ncat, where I have just made the same change.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]