Adobe CQ / Day CRX

[Chris Wallis <clwallis () gmail com>]

Hi all,

I've recently gained some experience with Adobe CQ and Day CRX (related web
application frameworks currently gaining popularity), and found that Nmap
does not correctly identify the services in certain cases.

Also something interesting about CQ and CRX is that by default they have a
Webdav server listening on the same interface as the HTTP server. This is a
security risk and should be flagged by Nmap, but at the moment the webdav
element is not being recognised on CQ, and on CRX the service is not even
being recognised as HTTP.

I have a CRX fingerprint to submit and I was wondering - as Webdav is an
extension to HTTP, and the service does not exclusively handle Webdav,
would it be correct to just submit it under the 'http' category?

I have also developed two scripts which I think may be useful in flagging
insecure installations of CQ and CRX. One which detects webdav enabled on
the http service or ports used by CQ/CRX, and another which checks for the
default accounts. They could probably both be expanded upon but I thought
it would be interesting to get some feedback from the Nmap dev community
before I did any more work on them.

The scripts are attached along with the CRX fingerprints.

Attachment: SF.txt
Description:

Attachment: adobecq-webdav-discovery.nse
Description:

Attachment: adobecq-webdav-default-creds.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/