Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] 404 handling in http-default-accounts-fingerprints
From: nnposter () users sourceforge net
Date: Sat, 27 Jul 2013 01:33:25 +0000

The following patch allows http-default-accounts-fingerprints.lua to
correctly handle cases where the response in try_http_post_login() is
HTTP/404. Without this patch such cases can be misinterpreted as
authentication successes due to the fact that the response does not
contain the validation string, such as "Invalid auth credentials!" or
"Login Error !!".

Cheers,
nnposter


Patch against revision 31543 follows:

--- nselib/data/http-default-accounts-fingerprints.lua.orig     2013-07-26 16:05:14.859375000 -0600
+++ nselib/data/http-default-accounts-fingerprints.lua  2013-07-26 19:28:03.734375000 -0600
@@ -53,7 +53,7 @@
     if follow_redirects and ( status > 300 and status < 400 ) then
       req = http.get(host, port, url.absolute(path, req.header.location), { no_cache = true, redirect_ok = false })
     end
-    if not(http.response_contains(req, failstr)) then
+    if req.status and req.status ~= 404 and not(http.response_contains(req, failstr)) then
       return true
     end
     return false
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault