Re: [NSE] apache-userdir-enum

[jah <jah () zadkiel plus com>]

On 11/08/2009 08:45, Fyodor wrote:
> Thanks Jah!  I like this script, though IMHO the version detection bit
> is over-optimizing.  If it only worked against one obscure server,
> there would be a lot of efficiency gain in restricting execution to
> that server.  But given that the allowed list likely includes more
> than half the web servers on the Internet already, the restriction has
> a smaller benefit compared the confusion it can cause when a script
> refuses to run just because of the "Server: " string.  Also, you never
> know what servers will support this behavior.  Here is a plugin for
> supporting ~username on IIS:
>
> http://brentp.net/2008/04/06/iis-isapi-plugin-support-for-user-home-directories/
Nice find!  I've removed the restriction and if it turns out that the
script produces too many false positives I'll look at what else might be
done to avoid them.

Regards,

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org