source: trunk/docs/CHANGES.txt @ 70

2008-09-12 plugins/nikto_core.plugin plugins/nikto_httpoptions.plugin
plugins/db_httpoptions
        - Fix for ticket #38: httpoptions are drawn from a database
        - Now setup to allow dynamic databases, rather than all being imported
          by nikto_core at start time
2008-09-06 plugins/nikto_core.plugin tmpl/htm_close.tmpl
        - Fix for ticket #53: all plugins now show last mod date
        - Fix for ticket #51: updated copyright date in HTML
2008-09-04 plugins/nikto_core.plugin
        - Fix for ticket #55, introduced by the solution for ticket #44
        - Fix for ticket #53
=========Nikto 2.03=========
2008-08-12 plugins/db_outdated
        - Fix for Jetty to latest version, fixes ticket #49
2008-08-07 docs/nikto_manual.html
        - New export of the manual from the docbook
        - Updated versions in nikto.pl
2008-08-06 plugins/db_outdated
        - Added various new versions
2008-08-05 plugins/db_favicon
        - Fix for ticket #45
        - Added favicons for Roku Soundbridge and Ampache
2008-07-14 plugins/nikto_headers.plugin
        - Changes to look at non-standard headers
        - Changes to examine Apache's ETag header
2008-07-07 nikto.pl plugins/nikto_core.plugin plugins/nikto_reports.plugin
        - Fix for ticket #41 - a rather nasty bug that's been in nikto 2 since
          its inception; where variables weren't fully expanded.
2008-07-02 plugins/nikto_core.plugin
        - Fix for ticket #11 - change CGIDIRS test so that they're not
          hardcoded. The reponse codes are now kept in a variable in
          db_variables
        - Applied same to enumerating apache users plugin
        - Fix for ticket #39 - we now check whether getoptions failed, show
          usage and exit with a code of one. This also means that it will exit
          gracefully if a parameter is missed out when one is required.
2008-06-24 plugins/nikto_core.plugin
        - Fix for ticket #35 - allow multiple HTTP methods to identify
          an HTTP server, these are set with the variable CHECKMETHODS in
          config.txt
        - Fix for a bug in the nmap reader where it would ignore the IP
          address if it nmap didn't return a hostname.
2008-06-22 plugins/db_tests
        - Fix for ticket #26 - stop domino tests producing false positives
2008-06-20 plugins/nikto_httpoptions.plugin
        - Fix for ticket #30 - ensure that propfind has the right OSVDB tag
2008-04-22 plugins/nikto_outdated.plugin
        - Change to allow stop duplication of items when scanning more than one
          host. Fix for bug 28
2008-04-16 plugins/nikto_core.plugin
        - Change to allow reading of a host list from stdin
        - Fix for enhancement 10: read from nmap output (only -oG)
2008-04-15 plugins/nikto_core.plugin
        - Fixes for bug 25: Unopen ports are now reported
2008-04-14 templates/htm*
        - Fixes for bug 24: HTML output is now valid HTML 4.01 Strict
2008-04-11 nikto.pl
        - Started using international dates instead of the weird US format
        - Added a fix for bug id 23: allow a range of ports instead of a comma
        separated list
2008-04-11 db_outdated
        - Updated current version of Apache to 2.2.8
01.06.2008 2.02
        - Added XML output thanks to the work of Jabra. XML format comes from templates (same as HTML). See the 'templates' dir for more info.
        - HTML reports changed by Jabra to remove some oddities and remove HTML from items
        - Fixed non-reporting of non-HTTP ports (or closed ports) when at least one port was HTTP.
        - Removed experimental knowledge base (KB) code, as XML output is more flexible for long-term scan tracking
        - Added unique identifiers to all tests from databases, and all tests created in code
        - Updated documentation
01.02.2008 nikto_core
        - Fixed improper parsing of long options (-update, etc.). Thanks to Frank Breedijk for figuring this out.
12.30.2007 db_servers
        - Removed as it is not used
12.19.2007 nikto_msgs.plugin
        - Add a boundary for regex on versions to cut down false positives
12.19.2007 niko_favicon.plugin
        - Added OSVDB ID
12.18.2007 niko_favicon.plugin
        - Fix false positive when favicon.ico doesn't exist
11.22.2007 Nikto 2.01 release
        - Fix anti ids encoding use. thanks to Francisco Amato
        - Fix virtual host usage if set via CLI. thanks Jon Hart
        - Fix Host header restoration when testing for IIS IP leak
        - Fix for plugindir & templatedir if EXECDIR is set in config.txt, thanks Shiraishi.M and Will Andrews for pointing it out.
        - Fix count of items--count now accurately reflects the number of items, not just number of vulns. thanks Frank Breedijk
        - Kick a few more things to KB that should be saved
        - Added SKIPIDS to config.txt to completely ignore some tests loaded from db_tests. Suggested by Christian Folini.
        - Enhanced rm_active_content to try to exclude the file/QUERYSTRING requested
        - Unset the auth header after guessing at it. Thanks Paul Woroshow for reporting the bug.
11.12.2007 nikto_headers.plugin
         - Fix internal IP address snarfing for IIS, thanks Frank Breedijk for pointing it out
11.10.2007 Nikto 2.00 release
         - Rewrite of nikto_httpoptions.plugin to read the Public header
         - Fixups to prevent namespace violations in nikto.pl and nikto_core.plugin
         - Add some normalizations to the -root option variable, suggested by Erik Cabetas
         - Added -Display with options for suppressing redirects & cookies from being included in output
         - Added -Tuning options to let users specify what they would like to test, or exclude certain categories
         - Added config.txt's NMAPOPTS, thanks Sean Lewis for the suggestion
         - All new HTML report
         - Bugfix: a found cookie would report for every port/server after it was found
         - Bugfix: all hosts scanned with all ports if hosts file used
         - Bugfix: all hosts scanned with port 80 despite what the user wanted
         - Bugfix: Reverse DNS inet_aton error fix, pointed out by Jason Peel @ Foundstone
         - Changed auth checking so it will test any directory found, not just /, and removed nikto_realms.plugin as a consequence
         - Changed scan_database.db format significantly (and name), (and all the code to deal with tests)
         - Completely new 404 engine which causes less false-positives (see docs)
         - Created dump_lw_hash instead of dump_request_hash & dump_result_hash
         - Implemented a knowledge base which (should) store all the gory details of scans... probably use this later ;)
         - Moved pre-defined variables from config.txt to variables.db so they can be automagically updated. Entries in config.txt are still read.
         - Removed %CFG, storing vars in %NIKTO instead
         - Removed -generic
         - Removed extraneous global vars
         - Removed load_realms, combined with load_variables
         - Replaced %CONFIG with %NIKTOCONFIG
         - Set MAX_WARN to trigger on any response code, skipping 404|403|401|400 to avoid common ones
         - Added -Single single request mode
         - Updates to use the RFP's LibWhisker 2.0
         - Added -Help to show extended help ouput, changed default help screen to be shorter. Suggested by Jericho.
         - Additional error checking on invalid reverse-dns (Paul Woroshow)
         - Cleaned up comment/line parsing routines in multiple places, from Erik Cabetas
         - Tightened some for loops with real values instead of guessing, from Erik Cabetas
         - Addded error message if no host is specified, from Erik Cabetas
         - Added more robust output file type checking (txt/htm/cvs), from Erik Cabetas
         - Added more debug statements regarding which CGI directories will be scanned, from Erik Cabatas
         - Bugfix: more 'half dead host' scanning issues resolved with Jericho. LW is much pickier now about calling http_close
         - Added error if -F specified without -o, from Erik Cabetas
         - Bugfix: server category match no longer matches partial strings, from Erik Cabetas
         - Bugfix: mis-pasted line, pointed to by Erik Cabetas
         - Send all errors to STDERR
         - Added -config option to specify a config file, thanks to Pavel Kankovsky
         - fixed regex issue on banner. thanks Alexander Ehlert for pointing it out
         - All other plugins updated for v2 changes
         - Added favicon.ico hash checking
         - ... gobs more

02.06.2004 nikto_core.plugin    1.21
        - Cleaned up comment/line parsing routines in multiple places, from Erik Cabetas
        - Tightened some for loops with real values instead of guessing, from from Erik Cabetas
        - Removed duplicate bit of code, from Erik Cabetas
        - Addded error message if no host is specified, from Erik Cabetas
        - Added more robust output file type checking (txt/htm/cvs), from Erik Cabetas
        - Added more debug statements regarding which CGI directories will be scanned, from Erik Cabatas

12.17.2003 
        nikto_core.plugin       1.20
         - Fixed BID links, thanks Richard Tortorella for the report.

10.27.2003 Nikto 1.32 release
        nikto_core.plugin       1.19
         - Removed unecessary 'use IO::Socket' call from resolve()
         - Removed unecessary counters
         - Replaced some slow foreach counters
         - Moved proxy_check earlier, before port_scan, so it will be set first
         - Removed -allcgi option in favor of -CGIdir, which can specify to test 'all', 'none' or a specific directory.
         - Bugfix: testing through proxy by making sure host name is set instead of ip, thanks to Fabrice Annic for the catch
         - Bugfix: a regex/logic/if error in test_target, thanks Pavel Kankovsky for the bug report. 401/302 messages will now report regardless of test/pass fail.
         - Bugfix: -dbcheck now identifies duplicates without relying on message text, thanks Jericho / Attrition.org for pointing this out
         
        nikto.pl        1.12
         - Rearranged order of get_banner & setup so that it would be called right

        nikto_headers.plugin    1.08
         - Added DAAP header check

10.02.2003
        nikto_core.plugin       1.18
         - Fixed get_banner to properly handle multi host/port scans

10.01.2003
        nikto_outdated.plugin   1.12
         - Fixed improper matching in version evals, reported by Paul Bakker

09.30.2003
        nikto_core.plugin       1.17
         - Reordered loop code to make -f scans faster.
         - Added a skip for "(Win32)" in the version updates back to cirt.net

        nikto_outdated.plugin   1.11
         - Stripping () from version strings

09.24.2003  Nikto 1.31 release
        nikto_core.plugin       1.16
         - Fixed a bug in resolve() that may prevent name lookups when host files used
         - Fixed a bug in resolve() where scan would exit if 1 name resolution from host file failed
         - Changed set_targets so that if the -h value exists as a file it reads that instead of resolving it as a name. This eliminates need for .csv or .txt file name endings.
         - Added auto or semi-auto update of version strings to CIRT.net. This is done through a simple GET request. Controlled via config.txt's UPDATES variable.
           *ABSOLUTELY NO* server info is sent... only versions from HTTP headers, i.e. "Apache/4.0". Thanks to Jericho for feedback/ideas.
         - Added a host counter output at end & for every 10 hosts
         - Set CHANGES.txt download only on *code* updates, not DBs
         - Added MAX_WARN to config.txt for warning level on OK/Moved messages, thanks Jericho for the suggestion.
         - Added PROMPTS to config.txt to allow user control of prompting--good for unattended scans
         - Added a regex test to dbcheck() better catch errors in server_msgs.db
         - Thanks again to Jericho for many updated tests/information.
         - Cleaned up port scan code
         - Fixed/improved scanning through proxies

        nikto_outdated.plugin   1.09
         - Added support for sending updates of version strings to CIRT.net. See nikto_core.plugin version 1.15 notes.

    LW.pm - 1.8
         - Updated to LW.pm v1.8, see the change log included with it (www.wiretrip.net/rfp/).
         
    nikto.pl - 1.10
         - Implemented versioning on nikto.pl (!), many changes to support core 1.15
         - Put 'require LW.pm' down *after* we know where it is.. duh. Thanks J Barber (ussysadmin.com) for the suggestion. Also changed it 'require' vs 'use' so in the future I can update it, if necessary.
         - Hosts are now tested in the same order as the appear in an input file
         

08.18.2003
        nikto_outdated.plugin   1.08
            -  Fixed nasty regex bug in the version eval, and made more efficient. Pointed out by fr0stman, thx Zeno for assistance
             
07.22.2003
        nikto_headers.plugin    1.07
         - Added Host header back after delete in IIS Content-Location check. Thanks to Abdi Ponce for the bug report & debug.

        nikto_httpoptions.plugin        1.04
         - Changed PROPPATCH, TRACK, TRACE messages. Changed PROPFIND message, thanks to Jericho for tracking down some good info on it.  Added SEARCH message.
         
        nikto_core.plugin       1.14
         - Added <title> tags to the HTML output for browser-neatness
         - Removed a stray debug print
         
07.03.2003
         - Thanks to Jeremy Bae for many Jeus Webserver tests.

06.29.2003
        nikto_core.plugin       1.13
         - changed some &function calls to function() to keep $_ from being passed down another level..  thanks to zeno for the heads-up.
         
        nikto_headers.plugin    1.05
         - fixed the IIS4 content-location check as it had a tendency to fail miserably...

06.29.2003
        nikto_core.plugin       1.12
         - changed output of dump_request to be more like normal request text

06.29.2003
        nikto_core.plugin       1.11
         - bug fix for scanning through proxies

06.19.2003
        nikto_core.plugin       1.10
         - added 'csv' to file formats in -help output (doh!)
         - minor speedups

06.17.2003
        nikto_user_enum_apache.plugin   1.02
         - Bugfix: some user names not tested (zz, zzz, etc.)
         - Major rewrite for speed improvements

        nikto_user_enum_cgiwrap.plugin  1.01
         - Bugfix: some user names not tested (zz, zzz, etc.)
         - Major rewrite for speed improvements

06.16.2003
        nikto_core.plugin       1.09
         - dbcheck option enhanced: check that all plugins are in the order file
         - dbcheck option enhanced: check that all plugins have properly named sub calls
         - update option enhanced: retrieves updated CHANGES.txt file with code updates
         - Bugfix: resolve() did not properly catch invalid IP addresses. Reported by Rick Tortorella.

06.12.2003
        nikto_core.plugin       1.08
         - Removed iprint() entirely (finally)
         - Made "Needs Auth" links active in HTML output
         
05.30.2003
        nikto_core.plugin       1.07
         - Bugfix: 

05.30.2003
        nikto_core.plugin       1.06
         - Added number of elapsed seconds to final host/port output
         - Bugfix: Changed CAN/CVE link to point to cve.mitre.org instead of ICAT
         - Bugfix: Duplicate port 80 in nmap options if -p not specified but 80 specified in hosts file

05.28.2003
        nikto_core.plugin       1.05
         - Bugfix: -update code prevented automatic updates. Found & fixed by Keith Young. Also reported by Paul Worshaw.
  
05.27.2003
        Nikto 1.30 release
    General changes
          - removed nikto_google.plugin entirely (may add better plugin later)
          - major "under the hood" changes to make things easier to maintain, read & modify
          - killed as many global vars as I could stand in favor of a few global hashes (CLI input, etc.)
          - added $CURRENT_HOST_ID and $CURRENT_PORT as globals--these are the pointers to "where you are" (mostly as in $TARGETS)
          - added the ability to have basic conditional items for tests, i.e. "200!index" to designate a response of "200" but the 
            content does not contain "index" (suggested by Paul Woroshow).
          - added -V option, which displays versions of all code files & databases (suggested by Jericho)
          - specifying -ssl now forces *all ports* on *all servers* to use ssl.  best that can be done for now. 
          - added multi-host support via a text file with port specification in the file or via CLI
          - all new save file routines
          - unbuffered file output to keep partial/cancelled run data
          - removed the -w option in favor of -F with multiple formats
          - added support for NTLM authentication
          - added cgiwrap plugin
        nikto_core.plugin       1.05
        - Many updates to support multiple host scans
        - Added UA for update agents
        - Changed all %SERVER hash refs to either %CLI or %TARGETS
        - Removed %BANNERS (now in %TARGETS)
        - Added set_targets() to handle various target input methods
        - Bugfix: non-SSL ports not found after first SSL port found on a host
        - Bugfix: authentication realms were not checked with the proper root if -r was specified on the CLI
        - Bugfix: can't call 'fprint' if core plugin is not found (duh!). Found by Erwin Paternotte.
        nikto_user_enum_cgiwrap.plugin  1.00
        - added
        nikto_mutate.plugin     1.05
        - change for using %CLI
        nikto_passfiles.plugin  1.01
        - change for using %CLI
        nikto_user_enum_apache.plugin   1.01
        - change for using %CLI
        - renamed from 'nikto_userenum.plugin'
        nikto_msgs.plugin       1.03
        - minor changes for multi-host support
        plugins_order.txt       1.03
        - removed nikto_google.plugin
                
02.23.2003      
        nikto_core.plugin       1.04
        - Added a work around for servers that answer with blank www-authenticate headers with invalid id/pass combos
        nikto_realms.plugin 1.00
        - Added to distro
        realms.db       1.00
        - Added to distro
        plugins_order.txt       1.02
        - Added nikto_realms.plugin

01.22.2003
        nikto_httpoptions.plugin        1.03    
        - standardized wording, added TRACE option, added more description to WebDAV msgs (thanks Jericho at attrition.org).

01.22.2003
        nikto_core.plugin       1.03    
        - fixed a bug with matching proper server categories, thanks to Paul Woroshow.

01.17.2003
        nikto_core.plugin       1.02    
        - fixed the GetOptions only looking for "-gener" instead of "-generic", thanks to Michel Arboi

01.02.2003
        nikto_core.plugin       1.01    
        - fixed proxy authentication not prompting for -update option

01.01.2003 
        Nikto   1.23
        - added nikto_plugin_order.txt to force plugin order to something we want rather than alpha
        - added nikto_core.plugin & removed most functions from nikto.pl
        - added -cookies option
        - enhanced db syntax error checking (spurred by syntax problems Thomas Reinke found)
        - started using the LW 1.6 libraries
        - fixed infinite loop output problem (no longer wrapping long lines)
        - removed usage from saved output (too long)
        - remove nikto_frontpage.plugin and put checks in scan_database.db
        - moved server categories from scan_database.db to servers.db
        - got rid of the leading "c," requirement from scan_database.db
        - added STATIC-COOKIE config item as suggested by Eyal Udassin
        - made CLI options case sensitive (to support more options, hosts files, etc)
        - added Javier Fernandez-Sanguino Pen~a's Apache user enumeration plugin
        - added -r (-root) file prepend as suggested by Eyal Udassin
        - many DB typo fixes from Jay Swofford
        - fixed a regex bug in nikto_robots.plugin and nikto_apacheusers.plugin
        - new update location (path) to better support upgrades that don't effect db syntax

08.21.2002
        Nikto   1.21    
        - Fixed all the proxy code--none of it was working due to where it was set in the initialization.
        - Added -update to the help output. Not sure why it wasn't there.

08.12.2002
        Nikto   1.20
        - Re-packaged to take out a testing line from LW.pm. Thanks to D Rhoades for the catch

08.11.2002
        Nikto   1.20    
        - Moved all mutate options to plugins
        - Added password file mutate plugin
        - Added better error messages if problems arise
        - Test for false-positives on all CGI directories
        - Added -useproxy CLI
        - Printing SSL certs the server accepts
        - Fixed port sorting if -f is used
        - Forked 1.20DCX edition for DefCon 10 CD: difference is only output
        - Fixed a bug where "findonly" was referenced as "findports" (thanks J DePriest)
        - Added properly wrapped text output in saved files

05.25.2002      
        Nikto   1.100   
        - stopped nikto from dying if no config.txt file found  
        - added Apache user enumeration plugin
        - added robots.txt plugin
        - set false-positive message to display at end of run as well as during
        - 
04.23.2002      
        Nikto   1.10BETA_3      
        - fixed CAN/CVE links, added BID/CA/MS links (suggested by Jericho).
        - prints total number of 'issues' found (suggested by Jericho).
        - fixed proxy usage in the cirt.net update function.
        - updated to use LW 1.4, which fixes an SSL infinite loop problem.
        - fixed 401 auth suppression (broken in beta 2).
        - added robots plugin to examine robots.txt & add items found to the mutate check
        - 
03.31.2002 
        Nikto   1.10BETA_2      
        - fixed the config.txt DEFAULTHTTPVER variable setting so it really works
        - made proxy_check run only once per session
        - removed all reference to "nikto" in the scan_database.db
        - 
03.23.2002      
        Nikto   1.10BETA_1
        - renamed plugins from .pl to .plugin, just for clarity. but they're still perl files
        - allowed nikto.pl to update plugins the same as .db files
        - usage of LW 1.2
        - countless "under the hood" type things
        - lowercase-incoming-headers to more easily handle case sensitive nonsense
        - compartmentalized a LOT more code to make things easier to read
        - created config.txt file configuration w/o midifying nikto.pl itself
        - added user_scan_database.db so that it won't get ovwr-written if the user adds checks
        - enabled RFP's LibWhisker anti-ids options
        - change "check," to "c," in scan_database, just to save a little bandwidth on cirt.net :)
        - added plugin to check HTTP methods
        - created a 'mutate' mode for really brute force finding stuff on servers
        - added the ability to set default CLI options via config file
        - added PLUGINDIR config variable
        - added plugin to check other HTTP headers (just x-powered-by for now)
        - added ability for nikto to auto-determine ssl v non-ssl on a port
        - added port scanning ability (with or without nmap)
        - added ability to send message via the update script's versions.txt file. I don't know why, but it may  be handy to let folks know if a new beta is out, or something.
        - implemented the virtual host headers as patched by Pasi Eronen
        - 
01.17.2002 
        Nikto   1.018 
        - Added /mpcgi/ to the @CGIDIRS array based on some suggestions.
        - Fixed a bug in the auth_check function (thanks RFP), and cleaned up error reporting on failed auths
        - 
01.12.2002      
        Nikto   1.017
        - Fixed a bug where the data portion of a request did not reset to null after some checks (thanks to Phil Brass for pointing me at it & letting me test against his server). 
        - 
01.10.2002
        Nikto   1.016
        - Add dump_*hash functions
        - Added pause (-x) in scan loop
        - Fixed a bug which caused a major slowdown
        - Added load_conf for setup for configuration files (future)
        - Fixed http vs. https links in output files
        - 
01.08.2002
        Nikto   1.015 
        - Fixed a bug (?) in Libwhisker PR4 (will check v1 code...)
        - Corrected an error which caused a few false-positives (404 really IS not found :)
01.07.2002      
        Nikto   1.014
        - Removed comment filtering from lines in scan_database.db to accommodate SSI includes
        - Fixed quoting removal for data portions in checks (so " is valid).
        - 
01.06.2002
        Nikto   1.013   
        - Made major globabl variable changes, moved tons of them to hashes
        - Wrote some basic plugin writing documentation & added 'docs' directory
        - 
01.03.2002
        Nikto   1.012
        - Added extended output for scan archival reasons (suggested by Steve Saady)
        - Changed host auth failure to a warning, not stoppage
        - Added "data" portion to scan_database.db
        - Added @IP and @HOSTNAME substitutions for scan_database.db checks (will be replaced by actual IP/hostname)
        - in case they are needed in the future.
        - Added JUNK() to scan_database.db checks to facilitate future buffer-overflows (non-DoS), and future DoS plugins
        - Added Proxy-agent as valid the same as Server result strings
        - Changed -l to -n ("nolookup") to be more accurate
        - 
01.02.2002
        Nikto   1.011
        - Added proxy auth for db update requests (oops).
        - Started .xxx version numbering scheme to make life easier
        - Fixed href tags in HTM output (< and > encoding and target host/ip)
        - Added "caseless" WWW-Authenticate finding (for iPlanet Proxy)
        - 
12.31.2001
        Nikto   1.01
        - Added regex to remove comments from scan_database.db in case they ever exist
        - Fixed extra 'Host:' line being sent to server (duh).
        - Fixed non 'GET' request data posting (duh).
        - Added -timeout option
        - 
12.27.2001      
        Nikto   1.00
        - Finalized beta version for release