From be66ffd38a3759d395d1ebe6251cb5a0d2eaaa5b Mon Sep 17 00:00:00 2001 From: vinamra Date: Thu, 1 Jun 2017 20:27:45 +0000 Subject: [PATCH] Solves the bug #878. Closes #885 --- scripts/http-vuln-cve2017-5689.nse | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/scripts/http-vuln-cve2017-5689.nse b/scripts/http-vuln-cve2017-5689.nse index 2cad15a54..3095d99bd 100644 --- a/scripts/http-vuln-cve2017-5689.nse +++ b/scripts/http-vuln-cve2017-5689.nse @@ -111,13 +111,15 @@ digest parameter. if response.header['server'] and response.header['server']:find('Intel(R)', 1, true) and response.status and response.status == 401 then local www_authenticate = http.parse_www_authenticate(response.header['www-authenticate']) - local auth_header = string.format("Digest username=\"admin\", realm=\"%s\", nonce=\"%s\", uri=\"index.htm\"," .. - "cnonce=\"%s\", nc=1, qop=\"auth\", response=\"\"", www_authenticate[1]['params']['realm'], - www_authenticate[1]['params']['nonce'], stdnse.generate_random_string(10)) - local opt = { header = { ['Authorization'] = auth_header } } - response = http.get(host, port, '/index.htm', opt) - if response.status and response.status == 200 then - vuln.state = vulns.STATE.VULN + if www_authenticate[1]['params'] and www_authenticate[1]['params']['realm'] and www_authenticate[1]['params']['nonce'] then + local auth_header = string.format("Digest username=\"admin\", realm=\"%s\", nonce=\"%s\", uri=\"index.htm\"," .. + "cnonce=\"%s\", nc=1, qop=\"auth\", response=\"\"", www_authenticate[1]['params']['realm'], + www_authenticate[1]['params']['nonce'], stdnse.generate_random_string(10)) + local opt = { header = { ['Authorization'] = auth_header } } + response = http.get(host, port, '/index.htm', opt) + if response.status and response.status == 200 then + vuln.state = vulns.STATE.VULN + end end end