From 8712cbf9a219275a0161ce807cc91ec6b1f8ea29 Mon Sep 17 00:00:00 2001 From: david Date: Thu, 22 Aug 2019 23:08:31 +0000 Subject: [PATCH] Fix /author/.../feed/ capture in http-wordpress-users.nse. Patch by Duarte. https://seclists.org/nmap-dev/2019/q3/17 The regular expression for the case when the server returns a 200 HTTP status is too open, it needs to be more specific. When there is a link similar to the feed link that occurs before the feed link, the expression will include everything between that initial link and the feed link. To fix this, the group that matches/captures the author username will only do so until it finds a forward slash. --- CHANGELOG | 3 +++ scripts/http-wordpress-users.nse | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 332b4334b..ae5ef412a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -13,6 +13,9 @@ o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest authentication but the server does not provide the necessary authentication header. [nnposter] +o [NSE] Fixed a bug in http-wordpress-users.nse that could cause + extraneous output to be captured as part of a username. [Duarte Silva] + Nmap 7.80 [2019-08-10] o [Windows] The Npcap Windows packet capturing library (https://npcap.org/) diff --git a/scripts/http-wordpress-users.nse b/scripts/http-wordpress-users.nse index 1f6a5e748..30b8270c2 100644 --- a/scripts/http-wordpress-users.nse +++ b/scripts/http-wordpress-users.nse @@ -64,7 +64,7 @@ local function get_wp_user(host, port, path, id) elseif req.status == 200 then -- Users with no posts get a 200 response, but the name is in an RSS link. -- http://seclists.org/nmap-dev/2011/q3/812 - local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/') + local _, _, user = string.find(req.body, 'https?://.-/author/([^/]+)/feed/') return user end end