From 93edeefa3c7bf8d55928ecf64c5abef82e28a904 Mon Sep 17 00:00:00 2001 From: dmiller Date: Wed, 17 Oct 2018 20:21:05 +0000 Subject: [PATCH] Fix false positive in http-phpmyadmin-dir-traversal. Closes #1359 --- CHANGELOG | 6 ++++++ scripts/http-phpmyadmin-dir-traversal.nse | 13 +++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index f232df27c..68b5577b5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,11 @@ #Nmap Changelog ($Id$); -*-text-*- +o [NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when the + server responds with 200 status to a POST request to any URI. [Francesco Soncina] + +o [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate that + testing could not rule out vulnerability. [Daniel Miller] + o [NSE] New rand.lua library uses the best sources of random available on the system to generate random strings. [Daniel Miller] diff --git a/scripts/http-phpmyadmin-dir-traversal.nse b/scripts/http-phpmyadmin-dir-traversal.nse index 5103870dc..27cfa0317 100644 --- a/scripts/http-phpmyadmin-dir-traversal.nse +++ b/scripts/http-phpmyadmin-dir-traversal.nse @@ -1,3 +1,4 @@ +local rand = require "rand" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" @@ -116,11 +117,19 @@ action = function(host, port) } local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) - local response = http.post(host, port, evil_uri, + -- Check if we can distinguish vulnerable from non-vulnerable response + local response = http.post(host, port, "/" .. rand.random_alpha(12), + {header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, evil_postdata) + local testable = true + if response.status == 200 then + testable = false + stdnse.debug1("Server responds with 200 for POST to any URI.") + end + response = http.post(host, port, evil_uri, {header = {["Content-Type"] = "application/x-www-form-urlencoded"}}, nil, evil_postdata) if response.body and response.status==200 then stdnse.debug1("response : %s", response.body) - vuln.state = vulns.STATE.EXPLOIT + vuln.state = testable and vulns.STATE.EXPLOIT or vulns.STATE.UNKNOWN vuln.extra_info = rfile.." :\n"..response.body if filewrite then local status, err = write_file(filewrite, response.body)