Re: [NSE] False positive - http-huawei-hg5xx-vuln.nse

[Tom Sellers <nmap () fadedcode net>]

On 7/3/2012 9:10 PM, tom () fadedcode net wrote:
> The script - http-huawei-hg5xx-vuln.nse [1] - detects a vulnerability in Huawei modem and also performs service 
> detection by checking response to certain HTTP queries.
> A false positive is generated when it scans a HTTP server that return a 200 response code to every request.  Certain 
> devices, such as Cisco ASAs and some Oracle httpd services,  tend to do this.  You
> can test this by scanning the HTTPS port on a Cisco ASA that is providing SSL VPN service.  You find a couple of 
> these to test with using a Google search [2].
>
> I have attached a patch that will use the http library's identify_404 function and detect httpds that respond with 
> 200 when queried for non-existent documents.  There are a couple of other scripts [3]
> that have a similar problem and I will fix them if the patch passes review.
>
> Thank much,
>
> Tom Sellers
>
>
> 1. http://nmap.org/nsedoc/scripts/http-huawei-hg5xx-vuln.html
> 2. allintitle: "SSL VPN Service"
> 3. http-cakephp-version,  http-malware-host,  http-method-tamper

This was committed last night after an email exchange with Paulino.  I can make similar changes to the other scripts 
unless someone can think of a cleaner way to detect this.


Thanks much,
Tom Sellers


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/