Nmap Development mailing list archives

Re: [NSE] False positive - http-huawei-hg5xx-vuln.nse


From: Tom Sellers <nmap () fadedcode net>
Date: Wed, 04 Jul 2012 07:00:33 -0500

On 7/3/2012 9:10 PM, tom () fadedcode net wrote:
The script - http-huawei-hg5xx-vuln.nse [1] - detects a vulnerability in Huawei modem and also performs service 
detection by checking response to certain HTTP queries.
A false positive is generated when it scans a HTTP server that return a 200 response code to every request.  Certain 
devices, such as Cisco ASAs and some Oracle httpd services,  tend to do this.  You
can test this by scanning the HTTPS port on a Cisco ASA that is providing SSL VPN service.  You find a couple of 
these to test with using a Google search [2].

I have attached a patch that will use the http library's identify_404 function and detect httpds that respond with 
200 when queried for non-existent documents.  There are a couple of other scripts [3]
that have a similar problem and I will fix them if the patch passes review.

Thank much,

Tom Sellers


1. http://nmap.org/nsedoc/scripts/http-huawei-hg5xx-vuln.html
2. allintitle: "SSL VPN Service"
3. http-cakephp-version,  http-malware-host,  http-method-tamper

This was committed last night after an email exchange with Paulino.  I can make similar changes to the other scripts 
unless someone can think of a cleaner way to detect this.


Thanks much,
Tom Sellers


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Current thread: