[PATCH] http.lua and malformed HTTP responses

[jah <jah () zadkiel plus com>]

Greetings,

I happened upon an "Arris cm450 cable modem http config" service which,
when running showHTMLtitle against it, resulted in:
SCRIPT ENGINE: C:\Program Files\Nmap\nselib/http.lua:137: attempt to
concatenate field '?' (a nil value)

It turns out that the device didn't respond with an HTTP Header and just
chucked out some html:
<html><head><title>Cannot find server</title></head><body>
<br>Access to this web page is currently unavailable.<P><HR></BODY></HTML>

The failure was due to the assumption that a header line without a
key:value pair is a continuation of the previous key:value pair, but in
this case there was no previous key:value.  I added a test for
"last_header" in http.lua:137 which prevents the error, but because the
response didn't contain a double line-feed and the lines coming from
buffer() weren't matching Response Header values, the lines were
discarded and the buffer was then empty by the time it came to
collecting lines for the body of the response.

The attached patch allows the retrieval of those lines that don't match
headers and returns them as the body:
|_ HTML title: Cannot find server

I've tested it some and all seems fine.

Regards,


jah

--- http.lua.orig       2008-06-16 15:34:26.015625000 +0100
+++ http.lua    2008-06-16 15:35:11.062500000 +0100
@@ -99,6 +99,7 @@
 
   local status, line, _
   local header, body = {}, {}
+  local not_a_header = ""
 
   -- header loop
   while true do
@@ -109,11 +110,12 @@
 
   -- build nicer table for header
   local last_header, match
-  for number, line in pairs( header ) do
+  for number, line in ipairs( header ) do
     if number == 1 then
       local code
       _, _, code = string.find( line, "HTTP/%d\.%d (%d+)")
       result.status = tonumber(code)
+      if not result.status then not_a_header = not_a_header .. line .. "\n" end
     else
       match, _, key, value = string.find( line, "(.+): (.*)" )
       if match and key and value then
@@ -126,8 +128,10 @@
         last_header = key
       else
         match, _, value = string.find( line, " +(.*)" )
-        if match and value then
+        if match and value and last_header then
           result.header[last_header] = result.header[last_header] .. ',' .. value
+        elseif match and value then
+          not_a_header = not_a_header .. line .. "\n"
         end
       end
     end
@@ -141,7 +145,7 @@
   end
 
   socket:close()
-  result.body = table.concat( body, "\n" )
+  result.body = not_a_header .. table.concat( body, "\n" )
 
   return result
 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org