search

leonjza / PHPNessusNG

PHP wrapper functions for interfacing with the Nessus V6.x API
MIT License
15 stars 9 forks source link

raw output goes in 403 error #10

Closed yoursecurity closed 9 years ago

yoursecurity commented 9 years ago

during my test i am experiencing a weird behavior; if I use the "standard" api

$nessus = new Nessus\Client($nessus_user, $nessus_pass, $nessus_host); $scans = $nessus->scans()->via('get'); var_dump($scans);

it works fine but instead if I ask for the raw contents in the "via" function

$nessus = new Nessus\Client($nessus_user, $nessus_pass, $nessus_host); $scans = $nessus->scans()->via('get', true); var_dump($scans);

I get an authentication (403) error:

PHP Notice: Trying to get property of non-object in /XXXXXXX/vendor/leonjza/php-nessus-ng/src/Nessus/Nessus/Call.php on line 65 Client error response [status code] 403 [reason phrase] Unauthorized [url] https://localhost:8834/scans/

leonjza commented 9 years ago

I think the token handling accidentally gets the raw, and then the token is never actually set. Thereafter, the requests fail because of that. Shouldn't be too hard to fix actually (assuming I am correct).

leonjza commented 9 years ago

I think this will also only occur if the first call after a new instantiation is called with the raw flag to true. The reason it works fine with say a report export is because the first few calls (that triggered the need for a new token) was called without it, and that original token is reused later.

yoursecurity commented 9 years ago

Hi Leon, I was just going to add comment that I fixed it replacing line 168 of file Call.php from

if ($scope->raw)

to

if (!empty($cookie_header) && $scope->raw)

to avoid the first call that generate the token inherits the raw flag.

Thanks! Marco

On 25-11-2014 15:47, Leon Jacobs wrote:

I think this will also only occur if the first call after a new instantiation is called with the raw flag to true. The reason it works fine with say a report export is because the first few calls (that triggered the need for a new token) was called without it, and that original token is reused later.

Reply to this email directly or view it on GitHub [1].

*

Links:

[1] https://github.com/leonjza/PHPNessusNG/issues/10#issuecomment-64409543

leonjza commented 9 years ago

Great! I'll do a fix for this after I have had a bit of a think about how the token is handled in general. :)

leonjza commented 9 years ago

v1.0.3 Should have this fixed :)

yoursecurity commented 9 years ago

works fine thanks ;-)!

On 26-11-2014 06:16, Leon Jacobs wrote:

v1.0.3 Should have this fixed :)

Reply to this email directly or view it on GitHub [1].

*

Links:

[1] https://github.com/leonjza/PHPNessusNG/issues/10#issuecomment-64516247