infobyte / faraday

Open Source Vulnerability Management Platform
https://www.faradaysec.com
GNU General Public License v3.0
5.07k stars 918 forks source link

Nexpose Reports (1.0 and 2.0) not loading #50

Closed NoahJaehnert closed 8 years ago

NoahJaehnert commented 9 years ago

Hello,

I placed my latest Nexpose report in ~/.faraday/report/workspace/ and when starting up Faraday, I receive the following error messages:

2015-10-09 10:55:10,941 - faraday.model.api - DEBUG - Report file is /user/.faraday/report/untitled/report2.xml
2015-10-09 10:55:11,334 - faraday.model.api - DEBUG - nexpose-full
2015-10-09 10:55:11,337 - faraday.model.api - DEBUG - The file is /user/.faraday/report/untitled/report2.xml, nexpose-full
2015-10-09 10:55:11,337 - faraday.model.api - DEBUG - Executing ./nexpose-full /user/.faraday/report/untitled/report2.xml
2015-10-09 10:55:11,350 - faraday.FileSystemConnector - DEBUG - Saving document in local db /user/.faraday/persistence/untitled
2015-10-09 10:55:12,040 - faraday.model.api - DEBUG - An exception was captured while saving reports
Traceback (most recent call last):
  File "/user/faraday-dev/managers/reports_managers.py", line 48, in run
    self.syncReports()
  File "/user/faraday-dev/managers/reports_managers.py", line 96, in syncReports
    client.send_output(command_string, filename)
  File "/user/faraday-dev/apis/rest/api.py", line 373, in send_output
    headers=self.headers)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 109, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 415, in send
    raise ConnectionError(err, request=request)
ConnectionError: ('Connection aborted.', error(32, 'Broken pipe'))

Any ideas why this might be/what can be done to fix this?

f-amato commented 9 years ago

Hi @NoahJaehnert thanks for reporting this

Could you please try to run faraday with "-d" ./faraday.py -d and give us the output. I recommend configuring couchdb which is faster. Take a look at this to configure it: https://github.com/infobyte/faraday/wiki/Couchdb

Best

NoahJaehnert commented 9 years ago

1) This was the output of running faraday in debug mode... Is there something specific you were looking for? 2) I had already configured CouchDB... Is there something else I need to do?

On Oct 9, 2015, at 11:17, Francisco Amato notifications@github.com wrote:

Hi @NoahJaehnert thanks for reporting this

Could you please try to run faraday with "-d" ./faraday.py -d and give us the output. I recommend configuring couchdb which is faster. Take a look at this to configure it: https://github.com/infobyte/faraday/wiki/Couchdb

Best

— Reply to this email directly or view it on GitHub.

micabot commented 9 years ago

@NoahJaehnert can you please send us the output of running cat to your user config file located in $HOME/.faraday/config/user.xml? From what I see in your logs Faraday isn't working against Couch, which is odd. Are you running Faraday as a user or root?

NoahJaehnert commented 9 years ago

Running faraday as Root on Kali Linux. Cat of the user config is below (tried to attach as a .txt but GitHub wasn't happy with that):

<faraday>
  <api_con_info_host>localhost</api_con_info_host>
  <api_con_info_port>9876</api_con_info_port>
  <api_restful_con_info_port>9977</api_restful_con_info_port>
  <appname>Faraday - Penetration Test IDE Community</appname>
  <auth algorithm="OTR" encrypted="no" />
  <auto_share_workspace>1</auto_share_workspace>
  <config_path>/root/.faraday/</config_path>
  <data_path>/root/.faraday/data</data_path>
  <debug_status>1</debug_status>
  <default_category>General</default_category>
  <default_temp_path>/root/.faraday/temp/</default_temp_path>
  <font>-Misc-Fixed-medium-r-normal-*-12-100-100-100-c-70-iso8859-1</font>
  <home_path>/root/</home_path>
  <host_tree_toggle />
  <hstactions_path>/root/.faraday/hstactions.dat</hstactions_path>
  <icons_path>/root/.faraday/images/icons/</icons_path>
  <image_path>/root/.faraday/images/</image_path>
  <log_console_toggle />
  <network_location>LAN</network_location>
  <persistence_path>/root/.faraday/persistence/</persistence_path>
  <perspective_view>/root/.faraday/persistence/</perspective_view>
  <repo_password />
  <repo_url type="SVN" />
  <repo_user>u</repo_user>
  <report_path>/root/.faraday/report/</report_path>
  <shell_maximized>0</shell_maximized>
  <last_workspace>untitled</last_workspace>
  <couch_uri>http://127.0.0.1:5984</couch_uri>
  <couch_is_replicated>True</couch_is_replicated>
  <couch_replics />
  <version>1.0.15</version>
  <plugin_settings>{"Retina": {"description": "", "version": "Retina Network 5.19.2.2718", "name": "Retina XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Openvas": {"description": "", "version": "2.0", "name": "Openvas XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "NexposeFull": {"description": "", "version": "Nexpose Enterprise 5.7.19", "name": "Nexpose XML 2.0 Report Plugin", "plugin_version": "0.0.1", "settings": {}}, "Qualysguard": {"description": "", "version": "Qualysguard", "name": "Qualysguard XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "MetasploitOn": {"description": "", "version": "Metasploit 4.10.0", "name": "Metasploit Online Service Plugin", "plugin_version": "0.0.2", "settings": {"Enable": "0", "Database": "msf3", "Wordspace": "%%", "Server": "localhost", "User": "msf3", "Password": "EKO-1919755b", "Port": "7337"}}, "Arachni": {"description": "", "version": "0.4.5.2", "name": "Arachni XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "Acunetix": {"description": "", "version": "9", "name": "Acunetix XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Webfuzzer": {"description": "", "version": "0.2.0", "name": "Webfuzzer Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "faraday": {"description": "", "version": "1.0.0", "name": "Faraday Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "Nessus": {"description": "", "version": "5.2.4", "name": "Nessus XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Sqlmap": {"description": "", "version": "1.0-dev-6bcc95", "name": "Sqlmap", "plugin_version": "0.0.2", "settings": {"Sqlmap path": "/root/tools/sqlmap"}}, "ftp": {"description": "", "version": "0.17", "name": "Ftp", "plugin_version": "0.0.1", "settings": {}}, "Listurls": {"description": "", "version": "6.3", "name": "Listurls XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Beef": {"description": "", "version": "0.4.4.9-alpha", "name": "BeEF Online Service Plugin", "plugin_version": "0.0.1", "settings": {"Authkey": "c818c7798ae1da38b45a6406c8dd0d6d4d007098", "Host": "http://127.0.0.1:3000/", "Enable": "0"}}, "Wapiti": {"description": "", "version": "2.2.1", "name": "Wapiti XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Netsparker": {"description": "", "version": "Netsparker 3.1.1.0", "name": "Netsparker XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Nikto": {"description": "", "version": "2.1.5", "name": "Nikto XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "pasteAnalyzer": {"description": "", "version": null, "name": "pasteAnalyzer JSON Output Plugin", "plugin_version": "1.0.0", "settings": {}}, "W3af": {"description": "", "version": "1.7.6", "name": "W3af XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "ping": {"description": "", "version": "1.0.0", "name": "Ping", "plugin_version": "0.0.1", "settings": {}}, "Telnet": {"description": "", "version": "0.17", "name": "Telnet", "plugin_version": "0.0.1", "settings": {}}, "Dnsmap": {"description": "", "version": "0.30", "name": "Dnsmap XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Burp": {"description": "", "version": "1.6.05 BurpPro", "name": "Burp XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "arp-scan": {"description": "", "version": "1.8.1", "name": "arp-scan network scanner", "plugin_version": "0.0.1", "settings": {}}, "Fierce": {"description": "", "version": "0.9.9", "name": "Fierce Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "X1": {"description": "", "version": "Onapsis X1 2.56", "name": "Onapsis X1 XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Amap": {"description": "", "version": "5.4", "name": "Amap Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "Metasploit": {"description": "", "version": "4.7.2", "name": "Metasploit XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Masscan": {"description": "", "version": "1.0.3", "name": "Masscan Output Plugin", "plugin_version": "0.0.1", "settings": {"Scan Technique": "-sS"}}, "Sslcheck": {"description": "", "version": "0.30", "name": "Sslcheck XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "peepingtom": {"description": "", "version": "02.19.15", "name": "PeepingTom", "plugin_version": "0.0.1", "settings": {}}, "Metagoofil": {"description": "", "version": "2.2", "name": "Metagoofil XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Medusa": {"description": "", "version": "2.1.1", "name": "Medusa Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Goohost": {"description": "", "version": "v.0.0.1", "name": "Goohost XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Theharvester": {"description": "", "version": "2.2a", "name": "Theharvester XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "sshdefaultscan": {"description": "", "version": "1.0.0", "name": "sshdefaultscan", "plugin_version": "0.0.1", "settings": {}}, "Core Impact": {"description": "", "version": "Core Impact 2013R1", "name": "Core Impact XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "whois": {"description": "", "version": "5.0.20", "name": "Whois", "plugin_version": "0.0.1", "settings": {}}, "Reverseraider": {"description": "", "version": "0.7.6", "name": "Reverseraider XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "propecia": {"description": "", "version": "1.0", "name": "propecia port scanner", "plugin_version": "0.0.1", "settings": {}}, "Dnsrecon": {"description": "", "version": "0.8.7", "name": "Dnsrecon XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "Hydra": {"description": "", "version": "7.5", "name": "Hydra XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Nmap": {"description": "", "version": "6.40", "name": "Nmap XML Output Plugin", "plugin_version": "0.0.2", "settings": {"Scan Technique": "-sS"}}, "Skipfish": {"description": "", "version": "2.1.5", "name": "Skipfish XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "Wcscan": {"description": "", "version": "0.30", "name": "Wcscan XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Maltego": {"description": "", "version": "3.0.4", "name": "Maltego XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Dnswalk": {"description": "", "version": "2.0.2", "name": "Dnswalk XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Nexpose": {"description": "", "version": "Nexpose Enterprise 5.7.19", "name": "Nexpose XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}, "Zap": {"description": "", "version": "2.2.2", "name": "Zap XML Output Plugin", "plugin_version": "0.0.2", "settings": {}}, "Dnsenum": {"description": "", "version": "1.2.2", "name": "Dnsenum XML Output Plugin", "plugin_version": "0.0.1", "settings": {}}}</plugin_settings>
  <updates_uri>https://www.faradaysec.com/scripts/updates.php</updates_uri>
  <tickets_uri>https://www.faradaysec.com/scripts/listener.php</tickets_uri>
  <tickets_api>{}</tickets_api>
  <tickets_template>{}</tickets_template>
</faraday>
f-amato commented 9 years ago

From the configuration I can figure out that you still using "untitled" filesystem workspace, you have to create a workspace on couch and try to import the nexpose report there. For the creation of workspace using GUI Web go to: https://github.com/infobyte/faraday/wiki/Manage-Workspaces If you want to create it using QT interface go to: Workspace -> Create (Select type CouchDB) Let me know if this help you! Best

NoahJaehnert commented 9 years ago

Still not working after I created a new workspace and put the report there...

2015-10-15 12:40:34,375 - faraday.model.api - DEBUG - Report file is /root/.faraday/report/newworkspace/report2.xml
2015-10-15 12:40:34,421 - faraday.model.api - DEBUG - nexpose-full
2015-10-15 12:40:34,424 - faraday.model.api - DEBUG - The file is /root/.faraday/report/newworkspace/report2.xml, nexpose-full
2015-10-15 12:40:34,425 - faraday.model.api - DEBUG - Executing ./nexpose-full /root/.faraday/report/newworkspace/report2.xml
2015-10-15 12:40:34,433 - faraday.CouchDbConnector - DEBUG - Saving document in couch db <Database newworkspace>
2015-10-15 12:40:35,098 - faraday.model.api - DEBUG - An exception was captured while saving reports
Traceback (most recent call last):
  File "/root/faraday-dev/managers/reports_managers.py", line 48, in run
    self.syncReports()
  File "/root/faraday-dev/managers/reports_managers.py", line 96, in syncReports
    client.send_output(command_string, filename)
  File "/root/faraday-dev/apis/rest/api.py", line 373, in send_output
    headers=self.headers)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 109, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 415, in send
    raise ConnectionError(err, request=request)
ConnectionError: ('Connection aborted.', error(32, 'Broken pipe'))

2015-10-15 12:40:45,110 - faraday.model.api - DEBUG - Report file is /root/.faraday/report/newworkspace/report2.xml
2015-10-15 12:40:45,151 - faraday.model.api - DEBUG - nexpose-full
2015-10-15 12:40:45,154 - faraday.model.api - DEBUG - The file is /root/.faraday/report/newworkspace/report2.xml, nexpose-full
2015-10-15 12:40:45,155 - faraday.model.api - DEBUG - Executing ./nexpose-full /root/.faraday/report/newworkspace/report2.xml
2015-10-15 12:40:45,168 - faraday.CouchDbConnector - DEBUG - Saving document in couch db <Database newworkspace>
2015-10-15 12:40:45,845 - faraday.model.api - DEBUG - An exception was captured while saving reports
Traceback (most recent call last):
  File "/root/faraday-dev/managers/reports_managers.py", line 48, in run
    self.syncReports()
  File "/root/faraday-dev/managers/reports_managers.py", line 96, in syncReports
    client.send_output(command_string, filename)
  File "/root/faraday-dev/apis/rest/api.py", line 373, in send_output
    headers=self.headers)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 109, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 415, in send
    raise ConnectionError(err, request=request)
ConnectionError: ('Connection aborted.', error(32, 'Broken pipe'))

Thoughts?

f-amato commented 9 years ago

Could you please send us the report to screen shot 2015-11-05 at 2 33 28 pm? Are you having problems with other reports?

NoahJaehnert commented 9 years ago

Looks like it was a problem with that specific report. I tried one of a scan that ran on a smaller subset of machines recently, and was met with a different error (related to parsing):

2015-10-19 15:43:23,978 - faraday.model.api - DEBUG - Report file is /root/.faraday/report/newworkspace/report.xml
2015-10-19 15:43:23,999 - faraday.model.api - DEBUG - nexpose-full
2015-10-19 15:43:24,001 - faraday.model.api - DEBUG - The file is /root/.faraday/report/newworkspace/report.xml, nexpose-full
2015-10-19 15:43:24,001 - faraday.model.api - DEBUG - Executing ./nexpose-full /root/.faraday/report/newworkspace/report.xml
2015-10-19 15:43:24,029 - faraday.CouchDbConnector - DEBUG - Saving document in couch db <Database newworkspace>
2015-10-19 15:43:24,946 - faraday.CouchDbConnector - DEBUG - Saving document in couch db <Database newworkspace>
2015-10-19 15:43:24,966 - faraday.model.api - DEBUG - PluginController (75676752) - Created plugin_process (78726544) for plugin instance (75611472)
2015-10-19 15:43:24,975 - faraday.model.api - DEBUG - ----------------------------------------
2015-10-19 15:43:24,975 - faraday.model.api - DEBUG - proc_name = PluginProcess-1
2015-10-19 15:43:24,975 - faraday.model.api - DEBUG - Starting run method on PluginProcess
2015-10-19 15:43:24,976 - faraday.model.api - DEBUG - parent process: 24702
2015-10-19 15:43:24,976 - faraday.model.api - DEBUG - process id: 24771
2015-10-19 15:43:24,976 - faraday.model.api - DEBUG - ----------------------------------------
2015-10-19 15:43:25,081 - faraday.model.api - DEBUG - PluginProcess-1: New Output
Plugin Error: NexposeFull, (7d874bf393310fce99f3d6839fa0c064842c899e)
2015-10-19 15:43:26,204 - faraday.model.api - DEBUG - Plugin raised an exception:
2015-10-19 15:43:26,207 - faraday.model.api - DEBUG - Traceback (most recent call last):
  File "/root/faraday-dev/plugins/core.py", line 802, in run
    self.plugin.parseOutputString(output)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 253, in parseOutputString
    parser = NexposeFullXmlParser(output)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 52, in __init__
    vulns = self.get_vuln_definitions(tree)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 164, in get_vuln_definitions
    vuln['desc'] += self.parse_html_type(htmlType)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 88, in parse_html_type
    ret += self.parse_html_type(child)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 107, in parse_html_type
    ret += str(node.text).strip()
UnicodeEncodeError: 'ascii' codec can't encode characters in position 1366-1367: ordinal not in range(128)

2015-10-19 15:43:26,207 - faraday.model.api - DEBUG - PluginProcess-1: Exiting
Plugin finished: NexposeFull, (7d874bf393310fce99f3d6839fa0c064842c899e)

Thoughts?

f-amato commented 9 years ago

Hi @NoahJaehnert Trying to replace the line 107 of /root/faraday-dev/plugins/repo/nexpose-full/plugin.py

from: ret += str(node.text).strip() to: ret += str(node.text.encode('ascii',errors='backslashreplace')).strip()

Let me know if this works.

f-amato commented 9 years ago

Hi @NoahJaehnert Do you have any feedback about it? Best

NoahJaehnert commented 9 years ago

Sorry for the delay. Still can't get it to import a Nexpose report correctly, even after adding your suggestions to line 170:

2015-11-04 08:32:23,355 - faraday.model.api - DEBUG - Executing ./nexpose-full /root/.faraday/report/import_test/report_new.xml
2015-11-04 08:32:23,368 - faraday.CouchDbConnector - DEBUG - Saving document in couch db <Database import_test>
2015-11-04 08:32:23,831 - faraday.CouchDbConnector - DEBUG - Saving document in couch db <Database import_test>
2015-11-04 08:32:23,841 - faraday.model.api - DEBUG - PluginController (63333200) - Created plugin_process (55129552) for plugin instance (63317072)
2015-11-04 08:32:23,850 - faraday.model.api - DEBUG - ----------------------------------------
2015-11-04 08:32:23,851 - faraday.model.api - DEBUG - proc_name = PluginProcess-1
2015-11-04 08:32:23,851 - faraday.model.api - DEBUG - Starting run method on PluginProcess
2015-11-04 08:32:23,851 - faraday.model.api - DEBUG - parent process: 4320
2015-11-04 08:32:23,851 - faraday.model.api - DEBUG - process id: 4452
2015-11-04 08:32:23,851 - faraday.model.api - DEBUG - ----------------------------------------
2015-11-04 08:32:23,902 - faraday.model.api - DEBUG - PluginProcess-1: New Output
Plugin Error: NexposeFull, (107bc1a943eae1760f292755e1af3f5873161ee2)
2015-11-04 08:32:24,511 - faraday.model.api - DEBUG - Plugin raised an exception:
2015-11-04 08:32:24,514 - faraday.model.api - DEBUG - Traceback (most recent call last):
  File "/root/faraday-dev/plugins/core.py", line 802, in run
    self.plugin.parseOutputString(output)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 254, in parseOutputString
    parser = NexposeFullXmlParser(output)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 52, in __init__
    vulns = self.get_vuln_definitions(tree)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 174, in get_vuln_definitions
    vuln['resolution'] += self.parse_html_type(htmlType)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 88, in parse_html_type
    ret += self.parse_html_type(child)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 105, in parse_html_type
    ret += self.parse_html_type(child)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 105, in parse_html_type
    ret += self.parse_html_type(child)
  File "/root/.faraday/plugins/nexpose-full/plugin.py", line 108, in parse_html_type
    ret += str(node.text.encode('ascii',errors='backslashreplace')).strip()
AttributeError: 'NoneType' object has no attribute 'encode'

2015-11-04 08:32:24,515 - faraday.model.api - DEBUG - PluginProcess-1: Exiting
Plugin finished: NexposeFull, (107bc1a943eae1760f292755e1af3f5873161ee2)
micabot commented 9 years ago

Hi @NoahJaehnert I can make a fix for you but I'll need the report to test it. Maybe you can obfuscate sensitive data beforehand and send it to screen shot 2015-11-05 at 2 33 28 pm? Let me know.

NoahJaehnert commented 9 years ago

Sure, I'll send a copy of the report over. Thanks for the help.

NoahJaehnert commented 9 years ago

Any update on this? Sent the report over about a week or so ago. Thanks!

micabot commented 9 years ago

@NoahJaehnert Sorry about the delay. We're on it - we're a bit busy right now but we'll get back to you as soon as possible.

micabot commented 9 years ago

Hi @NoahJaehnert! We've fixed this in the new release, which will be out soon. If you wish to patch your current version you can paste the following to a nexpose.patch and then from Faraday root run patch -p1 < nexpose.patch

diff --git a/plugins/repo/nexpose-full/plugin.py b/plugins/repo/nexpose-full/plugin.py
index 3db74cd..ef0037c 100644
--- a/plugins/repo/nexpose-full/plugin.py
+++ b/plugins/repo/nexpose-full/plugin.py
@@ -87,13 +87,13 @@ class NexposeFullXmlParser(object):
                 for child in list(node):
                     ret += self.parse_html_type(child)
             else:
-                ret += str(node.text).strip()
+                ret += node.text.encode("ascii", errors="backslashreplace").strip() if node.get('text') else ""
         if tag == 'listitem':
             if len(list(node)) > 0:
                 for child in list(node):
                     ret += self.parse_html_type(child)
             else:
-                ret = str(node.text).strip()
+                ret = node.text.encode("ascii", errors="backslashreplace").strip() if node.get('text') else ""
         if tag == 'orderedlist':
             i = 1
             for item in list(node):
@@ -104,17 +104,17 @@ class NexposeFullXmlParser(object):
                 for child in list(node):
                     ret += self.parse_html_type(child)
             else:
-                ret += str(node.text).strip()
+                ret += node.text.encode("ascii", errors="backslashreplace") if node.get('text') else ""
         if tag == 'unorderedlist':
             for item in list(node):
                 ret += "\t" + "* " + self.parse_html_type(item) + "\n"
         if tag == 'urllink':
-            if node.text:
-                ret += str(node.text).strip() + " "
+            if node.get('text'):
+                ret += node.text.encode("ascii", errors="backslashreplace").strip() + " "
             last = ""
             for attr in node.attrib:
-                if node.get(attr) != node.get(last):
-                    ret += str(node.get(attr)) + " "
+                if node.get(attr) and node.get(attr) != node.get(last):
+                    ret += node.get(attr).encode("ascii", errors="backslashreplace") + " "
                 last = attr

         return ret
@@ -164,10 +164,15 @@ class NexposeFullXmlParser(object):
                             vuln['desc'] += self.parse_html_type(htmlType)
                     if item.tag == 'exploits':
                         for exploit in list(item):
-                            vuln['refs'].append(str(exploit.get('title')).strip() + ' ' + str(exploit.get('link')).strip())
+                            if exploit.get('title') and exploit.get('link'):
+                                title = exploit.get('title').encode("ascii", errors="backslashreplace").strip()
+                                link = exploit.get('link').encode("ascii", errors="backslashreplace").strip()
+                                vuln['refs'].append(title + ' ' + link)
                     if item.tag == 'references':
                         for ref in list(item):
-                            vuln['refs'].append(str(ref.text).strip())
+                            if ref.get('text'):
+                                rf = ref.get('text').encode("ascii", errors="backslashreplace").strip()
+                                vuln['refs'].append(rf)
                     if item.tag == 'solution':
                         for htmlType in list(item):
                             vuln['resolution'] += self.parse_html_type(htmlType)
micabot commented 8 years ago

@NoahJaehnert we published Faraday v1.0.16 including this patch