o [NSE] Applied patch that corrects an issue where the http-method-tamper

script would fail to properly detect JBoss servers vulnerable to the CVE-2010-0738 vulnerability. [Hani Benhabiles]
2025-12-08 05:31:31 +00:00 · 2011-12-08 19:04:42 +00:00
parent 682a9a746b
commit 25a54f58cb
3 changed files with 10 additions and 3 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Applied patch that corrects an issue where the http-method-tamper
+  script would fail to properly detect JBoss servers vulnerable to the
+  CVE-2010-0738 vulnerability. [Hani Benhabiles]
+
 o [NSE] Added a new httpspider library and the script http-email-harvest that
  collects e-mail addresses by spidering a website. [Patrik]

--- a/scripts/http-method-tamper.nse
+++ b/scripts/http-method-tamper.nse
@@ -29,7 +29,7 @@ author = "Hani Benhabiles <kroosec@gmail.com>"

 license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

-categories = {"safe", "auth"}
+categories = {"safe", "auth", "vuln"}

 require 'shortport'
 require 'http'
@@ -55,7 +55,10 @@ action = function(host, port)
        -- Checks if HTTP authentication or a redirection to a login page is applied.
        if getstatus == 401 or getstatus == 302 then
            local headstatus = http.head(host, port, path).status
-            if headstatus == 200 then
+            if headstatus == 500 and path == "/jmx-console/" then
+                -- JBoss authentication bypass.
+                table.insert(result, ("%s: Vulnerable to CVE-2010-0738."):format(path))
+            elseif headstatus == 200 then
                -- Vulnerable to authentication bypass.
 				table.insert(result, ("%s: Authentication bypass possible"):format(path))
            end
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -105,7 +105,7 @@ Entry { filename = "http-joomla-brute.nse", categories = { "brute", "intrusive",
 Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-majordomo2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-malware-host.nse", categories = { "malware", "safe", } }
-Entry { filename = "http-method-tamper.nse", categories = { "auth", "safe", } }
+Entry { filename = "http-method-tamper.nse", categories = { "auth", "safe", "vuln", } }
 Entry { filename = "http-methods.nse", categories = { "default", "safe", } }
 Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } }
 Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }