search

epi052 / feroxbuster

A fast, simple, recursive content discovery tool written in Rust.
https://epi052.github.io/feroxbuster/
MIT License
5.54k stars 467 forks source link

[BUG] Update fails in networks with self-signed certs in cert chain #1148

Open L1-0 opened 1 month ago

L1-0 commented 1 month ago

Describe the bug When i want to update ferox in a network with a firewall with packet inspection this is not possible nor overridable with the -k flag.

To Reproduce Steps to reproduce the behavior: Have an outdated version of feroxbuster Have a network where the ssl cert is self signed

Expected behavior The update should go through after informing the user of potential risks.

Traceback / Error Output

└─$ sudo feroxbuster --update
Checking target-arch... x86_64-linux
Checking current version... v2.10.2
Checking latest released version... v2.10.3
New release found! v2.10.2 --> v2.10.3
New release is compatible

feroxbuster release status:
  * Current exe: "/usr/bin/feroxbuster"
  * New exe release: "x86_64-linux-debug-feroxbuster.1.zip"
  * New exe download url: "https://api.github.com/repos/epi052/feroxbuster/releases/assets/164584332"

The new release will be downloaded/extracted and the existing binary will be replaced.
Do you want to continue? [Y/n] y
Downloading...

[ERROR] ReqwestError: error sending request for url (https://api.github.com/repos/epi052/feroxbuster/releases/assets/164584332): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091: (self-signed certificate in certificate chain)
└─$ feroxbuster -k --update
error: the argument '--update' cannot be used with one or more of the other specified arguments

Usage: feroxbuster [OPTIONS]

For more information, try '--help'.

Environment (please complete the following information):

Additional context The user should be able to override this error.

epi052 commented 3 weeks ago

agreed, it would be nice if -k overrode that behavior. Unfortunately, the update feature is provided by the self_update crate, which doesn't expose the ability to ignore certs.

there are two possibilites to address this shortcoming:

  1. submit a feature request to the self_update repo and see what happens
  2. stop relying on the crate and build a custom updater

The first option is definitely preferable. I'll throw an issue in their repo and see what happens.

thanks for the suggestion!

epi052 commented 3 weeks ago

Actually, looking into their source code, it looks like it will respect some ssl env vars. Can you give those a try and see if you can update that way?

/// Set ssl cert env. vars to make sure openssl can find required files
macro_rules! set_ssl_vars {
    () => {
        #[cfg(target_os = "linux")]
        {
            if ::std::env::var_os("SSL_CERT_FILE").is_none() {
                ::std::env::set_var("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt");
            }
            if ::std::env::var_os("SSL_CERT_DIR").is_none() {
                ::std::env::set_var("SSL_CERT_DIR", "/etc/ssl/certs");
            }
        }
    };
}