Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http-litespeed-sourcecode-download

From: Paulino Calderon <paulino () calderonpale com>
Date: Sun, 24 Jul 2011 15:24:40 -0500
On 07/21/2011 05:14 AM, Fyodor wrote:

On Fri, Jul 15, 2011 at 06:25:32PM -0700, Paulino Calderon wrote:

description = [[
http-litespeed-sourcecode-download.nse exploits a null-byte poisoning
vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve
the target script's source code by sending a HTTP request with a null
byte followed by a .txt file extension (CVE-2010-2333).

Thanks Paulino.  Here are some suggestions:

o It needs an @output example--that section is currently empty.

o Ideally it should try to detect the vulnerability even if the user
   doesn't specify http-litespeed-sourcecode-download.uri.  Otherwise
   far fewer people will ever make use of this script.  Allowing the
   file to be specified is great for exploiting the bug, but it would
   be nice to find a way to detect it without requiring that.

o I know you are looking for ways to test it out on a real system, so
   I hope that goes well.

o It returns an error if the uri option is not specified, but people
   do things like "--script vuln" all the time and we don't want an
   error message showing for each host.  Ideally though, the fix will
   be to do useful things (e.g. detect the vuln) even without requiring
   the argument.

o The name http-litespeed-sourcecode-download is pretty long, and it
   doesn't even contain "vuln" or the CVE number.  But it includes a lot
   of other good details.  So I can't think of any name that I think is
   clearly better.  So this is probably OK.

o The @usage example gives the argument name as
   http-litespeed-sourcecode-download.file, but in the @args section
   and in the actual code it is .uri rather than .file.

o Even though the filename doesn't have a CVE number, the output
   should probably include it.  As I mentioned with
   http-axis2-dir-traversal, we should aim to report this in a
   reasonably common way (even though we don't have the special vuln
   reporting library yet).

I hope this helps.  Feel free to check it in if you can address these
issues and nobody else finds any other ones.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

I've commited the improved script as r25249.

Cheers.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: