Fix /author/.../feed/ capture in http-wordpress-users.nse.

Patch by Duarte. https://seclists.org/nmap-dev/2019/q3/17 The regular expression for the case when the server returns a 200 HTTP status is too open, it needs to be more specific. When there is a link similar to the feed link that occurs before the feed link, the expression will include everything between that initial link and the feed link. To fix this, the group that matches/captures the author username will only do so until it finds a forward slash.
2025-12-06 04:31:29 +00:00 · 2019-08-22 23:08:31 +00:00
parent 862054bf5d
commit 8712cbf9a2
2 changed files with 4 additions and 1 deletions
--- a/3
+++ b/3
@@ -13,6 +13,9 @@ o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest
  authentication but the server does not provide the necessary authentication
  header. [nnposter]

+o [NSE] Fixed a bug in http-wordpress-users.nse that could cause
+  extraneous output to be captured as part of a username. [Duarte Silva]
+
 Nmap 7.80 [2019-08-10]

 o [Windows] The Npcap Windows packet capturing library (https://npcap.org/)
--- a/scripts/http-wordpress-users.nse
+++ b/scripts/http-wordpress-users.nse
@@ -64,7 +64,7 @@ local function get_wp_user(host, port, path, id)
    elseif req.status == 200 then
      -- Users with no posts get a 200 response, but the name is in an RSS link.
      -- http://seclists.org/nmap-dev/2011/q3/812
-      local _, _, user = string.find(req.body, 'https?://.-/author/(.-)/feed/')
+      local _, _, user = string.find(req.body, 'https?://.-/author/([^/]+)/feed/')
      return user
    end
  end