Hax0rG1rl / skipfish

Automatically exported from code.google.com/p/skipfish
1 stars 0 forks source link

embedded url authentication credentials are not detected properly. #58

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Analysis of parse_url indicates that the method of scanning for an
authentication credential in the URI supplied will not succeed as line 22
will report the : in the credential set, causing the check on line 224 to
miss the detected credential.

found in 1.27, verified in 1.31.

Steps to reproduce:
compile skipfish.
copy index.html (attached) to a web server.
scan it
./skipfish -o test1 -W dictionaries/default.wl http://localhost/index.html

The diff below is a simple fix that I implemented to verify the issue. 
test3 illustrates the result with the patch below applied.

diff:
--- ../skip-orig/skipfish/http_client.c    2010-04-14 21:50:31.930303194 -0700
+++ http_client.c    2010-04-14 21:50:30.250175818 -0700
@@ -219,10 +219,10 @@
        wordlists into account. Be sure to report any embedded auth, though. */

     at_sign = (u8*)strchr((char*)cur, '@');
-    
+
     path_st = strcspn((char*)cur, ":/?#");

-    if (at_sign && path_st > (at_sign - cur)) {
+    if (at_sign) {   
       cur = at_sign + 1;
       if (!req->pivot) return 1;
       problem(PROB_URL_AUTH, ref, 0, url, req->pivot, 0);

Original issue reported on code.google.com by yvanbo...@gmail.com on 15 Apr 2010 at 5:33

Attachments:

GoogleCodeExporter commented 9 years ago
Thanks. This should be fixed in 1.32b, coming soon. The patch you included 
isn't 
exactly right (it will also trigger if @ is present later in the URL, and will 
cause 
incorrect parsing of the host name), but I think I got it right.

Original comment by lcam...@gmail.com on 19 Apr 2010 at 4:11