replaced so that all NSE modules will have strict declared global checking at
runtime. This should catch most developer errors early. Please see [1] for
further reference into the problem.
[1] http://seclists.org/nmap-dev/2009/q3/0070.html
is not in the registry. That function is called indirectly by
nmap.verbosity, which may be called before _R["NSE_SELECTED_BY_NAME"]
has been given a value. I was getting this error with any script scan:
NSE: failed to initialize the script engine:
attempt to call a nil value
stack traceback:
[C]: in function 'verbosity'
./nse_main.lua:136: in function 'print_verbose'
./nse_main.lua:680: in main chunk
[C]: ?
QUITTING!
server with a date in 2007 was producing the output
|_ http-date: Sun, 07 Jan 2007 08:17:36 GMT; -918d13h46m40s from local time.
Now it is
|_ http-date: Sun, 07 Jan 2007 09:01:44 GMT; -2y187d13h46m40s from local time.
parses an HTTP date in any of three possible formats.
http-date.nse gets the Date: header field value from and HTTP server,
then displays it with how much it differs from local time.
o A bug in Nsock was fixed: On systems where a nonblocking connect
could succeed immediately, connections that were requested to be
tunnelled through SSL would actually be plain text. This could be
verified with an Ncat client and server running on localhost. This
was observed to happen with localhost connections on FreeBSD 7.2.
Non-localhost connections were likely not affected. The bug was
reported by Daniel Roethlisberger. [David]
have their verbosity level automatically increased by one. Many
will print negative results ("no infection found") at a higher
verbosity level. The idea is that if you ask for a script
specifically, you are more interested in such results.
was that if a host had multiple addresses of the same type, they should
be sorted numerically, not alphabetically. So 20.0.0.1 should come
before 100.0.0.1. But the way Nmap works, I don't think a host can have
more than one address of the same type, and it's not worth the code it
would take to make them sort properly if it did.
so that read errors for both can be handled in the same place. SSL_read
errors were not being handled at all, which would cause the Ncat broker
to use 100% CPU after a client disconnected. The problem was reported by
Kris at http://seclists.org/nmap-dev/2009/q2/0840.html.
default when a socket error occurs. This used to require -v, but
printing no message at all could make a failed connection look like
success in a case like
ncat remote < short-file
http.lua. Previously the code was not careful about checking its input,
and would loop forever if it got something non-hex where it expected a
hex chunk-size. See http://seclists.org/nmap-dev/2009/q3/0013.html.
This code raises an error whenever decoding fails for whatever reason.
It also handles chunk extensions. The reference is section 3.6.1 of
RFC 2616.
