#VERSION,2.00 #LASTMOD,11.10.2007 ############################################################################### # Copyright (C) 2006 CIRT, Inc. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; version 2 # of the License only. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ############################################################################### ############################################################################### # PURPOSE # HTTP options check ############################################################################### # This just gets the HTTP options & checks 'em out. # See RFC 2626 for more info... sub nikto_httpoptions { # test for both OPTIONS / and OPTIONS * as they may give different results (my $RES, $CONTENT) = fetch("*", "OPTIONS"); my $aoptions = "$result{allow}, "; my $poptions = "$result{public}, "; my ($allow_methods, $public_methods, $txt); ($RES, $CONTENT) = fetch("/", "OPTIONS"); $aoptions .= $result{allow}; $poptions .= $result{public}; foreach my $o (split(/,[ ]?/, $aoptions)) { $allow_methods .= ", $o" unless ($allow_methods =~ /\b$o\b/ || $o eq ''); } $allow_methods =~ s/^[ ]?, //; foreach my $o (split(/,[ ]?/, $poptions)) { $public_methods .= ", $o" unless ($public_methods =~ /\b$o\b/ || $o eq ''); } $public_methods =~ s/^[ ]?, //; # proxy can impose it's methods... should actually check this not just warn if ($CLI{useproxy} ne "") { $txt="(May be proxy's methods, not server's)"; } if ($allow_methods ne "") { nprint("+ Allowed HTTP Methods: $allow_methods $txt"); foreach my $m (split/,? /, $allow_methods) { eval_methods($m,"Allow"); } } if ($public_methods ne "") { nprint("+ Public HTTP Methods: $public_methods $txt"); foreach my $m (split/,? /, $public_methods) { eval_methods($m,"Public"); } } return; } sub eval_methods { my $method=$_[0] || return; my $type=$_[1]; $method=uc($method); my $prefix="HTTP method ('$type' Header):"; if ($method eq "CONNECT") { nprint("+ OSVDB-0: $prefix 'CONNECT' may allow server to proxy client requests."); } elsif ($method eq "MOVE") { nprint("+ OSVDB-5647: $prefix 'MOVE' may allow clients to change file locations on the web server.", "", "kb"); } elsif ($method eq "PROPFIND") { nprint("+ OSVDB-13431: $prefix 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists.", "", "kb"); } elsif ($method eq "SEARCH") { nprint("+ OSVDB-425: $prefix 'SEARCH' indicates DAV/WebDAV is installed, and may be used to get directory listings if Index Server is running.", "", "kb"); } elsif ($method eq "PUT") { nprint("+ OSVDB-397: $prefix 'PUT' method could allow clients to save files on the web server.", "", "kb"); } elsif ($method eq "TRACE") { nprint("+ OSVDB-877: $prefix 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.", "", "kb"); } elsif ($method eq "PROPPATCH") { nprint("+ OSVDB-425: $prefix 'PROPPATCH' indicates DAV/WebDAV is installed.", "", "kb"); } elsif ($method eq "DELETE") { nprint("+ OSVDB-5646: $prefix 'DELETE' may allow clients to remove files on the web server.", "", "kb"); } elsif ($method eq "TRACK") { nprint("+ OSVDB-5648: $prefix 'TRACK' ('TRACE' alias) is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.","","kb"); } } 1;