Re: [NSE] apache-userdir-enum

[Fyodor <fyodor () insecure org>]

On Sun, Jul 12, 2009 at 11:37:06PM +0100, jah wrote:

> -- The script will run against http[s] and http[s]-alt ports.  If version detection
> -- is performed and discovers a service which does not contain 'apache' the script
> -- will not run.

Thanks Jah!  I'm wondering how server-specific this ~username behavior
is?  In particular, I'm wondering how many other web servers have
copies that approach.  It would be fascinating to do a big scan
(without the "apache" check) and determine:

1) How many of the servers have one of the 11 tested ~usernames
2) How many of those pass the "apache" check.

For example, you note in your comments that Tomcat Coyote apparently
exhibits this behavior sometimes.  Also, some Apache admins remove the
"Apache" banner.  And some Apache-derived servers might still support
the behavior while not advertising Apache in their server line.

I don't pretend to know how Apache-specific this issue is, so I'm not
suggesting removing the check.  But I at least want to put a call out
to the list first: if anyone knows non-Apache servers which are at
least occasionally configured to use paths like
http://servername.com/~user/, please speak up! 

If this is merged into http-enum, it might be worth making it
unconditional.  An NSE arg could be provided to enable the Apache
banner checking.

Cheers,
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org