sullo
commented
7 years ago Libwhisker's stream_key() has this if statement:
if ( $type == 5 ) { $x = 0; $ENV{HTTPS_PROXY} = "$h:$p"; $h = $wh->{whisker}->{host}; $p = $wh->{whisker}->{port}; }
Which sucks in the environment variable. This only happens if $type = 5 which is Net::SSL.
However, this is all wrapped in:
if ( defined $wh->{whisker}->{proxy_host} ) {
That was set to a value if it's configured in nikto.conf, even if wasn't used. The commit here should undef that if -useproxy isn't set. Would appreciate it @harrim4n if you can confirm the fix works.
harrim4n
Version: 2.1.6 (latest on Kali), same issue with latest version from git repo LibWhisker version: 2.5
If the https_proxy ENV variable is set set, nikto fails with the message "No web server found on X.X.X.X:443". This happens even though the -useproxy option is not specified.
Here's the output of /nikto.pl -D d -h https://X.X.X.X
nikto_auto.txt
The issue only happens if the LW_SSL_ENGINE variable is set to "auto" or "SSL" (which is odd, considering "SSLeay" should be the default).
A workaround for this is either unsetting the https_proxy variable or manually setting the LW_SSL_ENGINE variable to "SSLeay".