search

sullo / nikto

Nikto web server scanner
Other
8.42k stars 1.22k forks source link

Bug: unrendered XML template variables in XML output #750

Closed postmodern closed 2 years ago

postmodern commented 2 years ago

I was testing the Fedora packages version of nikto (nikto-2.1.6-8.fc34.noarch) and noticed that XML output contains unrendered sections.

Expected behavior

Properly rendered XML.

Actual behavior

XML contained unrendered template variables.

<?xml version="1.0" ?>
<!DOCTYPE niktoscan SYSTEM "/usr/share/doc/nikto/nikto.dtd">
<niktoscan hoststest="0" options="-host example.com -output nikto.xml" version="2.1.6" scanstart="Mon Nov 29 07:22:56 2021" scanend="Wed Dec 31 16:00:00 1969" scanelapsed=" seconds" nxmlversion="1.2">

<scandetails targetip="93.184.216.34" targethostname="example.com" targetport="80" targetbanner="ECS (sec/974D)" starttime="2021-11-29 07:22:57" sitename="http://example.com:80/" siteip="http://93.184.216.34:80/" hostheader="example.com" errors="0" checks="4587">

<item id="#ID#" osvdbid="#TEMPL_OSVDB#" osvdblink="#TEMPL_OSVDB_LINK#" method="#TEMPL_HTTP_METHOD#">
<description><![CDATA[#TEMPL_MSG#]]></description>
<uri><![CDATA[#TEMPL_URI#]]></uri>
<namelink><![CDATA[#TEMPL_ITEM_NAME_LINK#]]></namelink>
<iplink><![CDATA[#TEMPL_ITEM_IP_LINK#]]></iplink>
</item>

<item id="#ID#" osvdbid="#TEMPL_OSVDB#" osvdblink="#TEMPL_OSVDB_LINK#" method="#TEMPL_HTTP_METHOD#">
<description><![CDATA[#TEMPL_MSG#]]></description>
<uri><![CDATA[#TEMPL_URI#]]></uri>
<namelink><![CDATA[#TEMPL_ITEM_NAME_LINK#]]></namelink>
<iplink><![CDATA[#TEMPL_ITEM_IP_LINK#]]></iplink>
</item>

<item id="#ID#" osvdbid="#TEMPL_OSVDB#" osvdblink="#TEMPL_OSVDB_LINK#" method="#TEMPL_HTTP_METHOD#">
<description><![CDATA[#TEMPL_MSG#]]></description>
<uri><![CDATA[#TEMPL_URI#]]></uri>
<namelink><![CDATA[#TEMPL_ITEM_NAME_LINK#]]></namelink>
<iplink><![CDATA[#TEMPL_ITEM_IP_LINK#]]></iplink>
</item>

<item id="#ID#" osvdbid="#TEMPL_OSVDB#" osvdblink="#TEMPL_OSVDB_LINK#" method="#TEMPL_HTTP_METHOD#">
<description><![CDATA[#TEMPL_MSG#]]></description>
<uri><![CDATA[#TEMPL_URI#]]></uri>
<namelink><![CDATA[#TEMPL_ITEM_NAME_LINK#]]></namelink>
<iplink><![CDATA[#TEMPL_ITEM_IP_LINK#]]></iplink>
</item>

<item id="#ID#" osvdbid="#TEMPL_OSVDB#" osvdblink="#TEMPL_OSVDB_LINK#" method="#TEMPL_HTTP_METHOD#">
<description><![CDATA[#TEMPL_MSG#]]></description>
<uri><![CDATA[#TEMPL_URI#]]></uri>
<namelink><![CDATA[#TEMPL_ITEM_NAME_LINK#]]></namelink>
<iplink><![CDATA[#TEMPL_ITEM_IP_LINK#]]></iplink>
</item>

<statistics elapsed="178" itemsfound="5" itemstested="4587" endtime="2021-11-29 07:25:55" />
</scandetails>

</niktoscan>

Steps to reproduce

  1. sudo dnf install -y nikto
  2. Set NIKTODTD in /etc/nikto/config to /usr/share/doc/nikto/nikto.dtd (see fedora bug 2027511)
  3. nikto -host example.com -output nikto.xml

Nikto version

---------------------------------------------------------------------------
Nikto Versions
---------------------------------------------------------------------------
File                               Version      Last Mod
-----------------------------      --------     ----------
Nikto main                         2.1.6
LibWhisker                         2.5
db_404_strings                     2.003        
db_content_search                  2.000        
         nary                      1.0
db_drupal                          1.00         
db_embedded                        2.004        
db_favicon                         2.010        
db_headers                         2.008        
db_httpoptions                     2.002        
db_multiple_index                  2.005        
db_outdated                        2.017        
db_parked_strings                  2.001        
db_realms                          2.002        
db_server_msgs                     2.006        
db_subdomains                      2.006        
db_tests                           2.021        
db_variables                       2.004        
nikto_apache_expect_xss.plugin     2.04         
nikto_apacheusers.plugin           2.06         
nikto_auth.plugin                  2.04         
nikto_cgi.plugin                   2.06         
nikto_clientaccesspolicy.plugin    1.00         
nikto_content_search.plugin        2.05         
nikto_cookies.plugin               2.05         
nikto_core.plugin                  2.1.5        
nikto_dictionary_attack.plugin     2.04         
nikto_drupal.plugin                1.00         
nikto_embedded.plugin              2.07         
nikto_favicon.plugin               2.09         
nikto_fileops.plugin               1.00         
nikto_headers.plugin               2.11         
nikto_httpoptions.plugin           2.10         
nikto_ms10_070.plugin              1.00         
nikto_msgs.plugin                  2.07         
nikto_multiple_index.plugin        2.03         
nikto_negotiate.plugin             2.00         
nikto_outdated.plugin              2.09         
nikto_parked.plugin                2.00         
nikto_paths.plugin                 2.00         
nikto_put_del_test.plugin          2.04         
nikto_report_csv.plugin            2.07         
nikto_report_html.plugin           2.05         
nikto_report_nbe.plugin            2.02         
nikto_report_sqlg.plugin           2.00         
nikto_report_text.plugin           2.05         
nikto_report_xml.plugin            2.05         
nikto_robots.plugin                2.06         
nikto_shellshock.plugin            2.01         
nikto_siebel.plugin                1.00         
nikto_sitefiles.plugin             2.00         
nikto_ssl.plugin                   2.01         
nikto_subdomain.plugin             2.01         
nikto_tests.plugin                 2.04         
---------------------------------------------------------------------------
---------------------------------------------------------------------------

Further technical info

$ perl --version
This is perl 5, version 32, subversion 1 (v5.32.1) built for x86_64-linux-thread-multi
(with 51 registered patches, see perl -V for more detail)

nikto_debug.log perl_version.txt

sullo commented 2 years ago

Sorry for the delay on replying. Do you know if this happens with the GitHub version of nikto? I don't typically support packaged installations--since most updates are via github and not a new version, they tend to become stale rather quickly.

sullo commented 2 years ago

Closed due to no response.

postmodern commented 2 years ago

Sorry for the delay. After installing the perl-Net package I was able to test nikto.pl from HEAD and it seems to work as expected. So something is up with the Fedora package.

sullo commented 2 years ago

I suspected it was something with the packaging--thanks for confirming.

fomcl commented 2 years ago

Something very similar happens when using a yum-installed version of Nikto on CentOS 7. HTML report contains uninterpolated variables. Txt/csv hardly any info. Will try to install an up-to-date version tomorrow. I hope the report will clarify why Nikto is complaining about a missing X-frame-options header even though I added one in my Nginx server block. 😵

sullo commented 2 years ago

@fomcl I don't support the OS installation packages because at the minimum they get pretty outdated, and at worst don't work or barely at all. The only program I support is if it was installed/downloaded via GitHub. If you still see oddities please open a new ticket for the issue(s). Cheers!

postmodern commented 2 years ago

I think we should submit bug reports downstream to https://bugzilla.redhat.com/, since it appears CentOS/Fedora somehow broke their packages.

sullo commented 2 years ago

@postmodern feel free if you like. I can't possibly support all the packages for Nikto out there on various distributes :)

digininja commented 2 years ago

@fomcl If you use the -Save option, then you get the request and response for each issue and you will see whether the header is there or not.